WebApp Sec mailing list archives
Re: Login credentials and session id security
From: "James Landis" <jcl24 () cornell edu>
Date: Thu, 7 Jun 2007 09:48:36 -0400
Vishal, You should always use the POST method when sending sensitive information via HTTP. Hidden fields are not an alternative to POST or GET. Ideally, the server should also respond to each POST request with a 30x as opposed to a 200. You cannot prevent a user from "deploying a Web proxy" to intercept their own HTTP requests, but why are you worried about your end users viewing credentials that they themselves have entered? The authentication features built into SSL prevent an attacker from setting up a Web proxy which will allow them to view the credentials of others. Even if the attacker is successful at tricking the user into setting up a tunnel which terminates on the attacker's proxy, the end user will be warned that the certificate does not match that of the target domain provided by their CA. Session IDs should always be sent to the client using session cookies with the Secure flag set, the HTTPOnly flag set (if the browser supports it), and path and domain parameters limited as strictly as possible. In an ideal world, the session ID is destroyed and a new one is sent to the client after only a single use. However, this is usually not practical. Sane limits on session expiration should be set including a short inactivity timeout and an absolute timeout. These timeouts should both be as short as possible without negatively impacting user experience. Session IDs should not be generated and sent to the client until after a successful authentication has taken place. Session IDs should be destroyed and new IDs created whenever the privilege level associated with the session changes. Session IDs should be explicitly terminated whenever the user leaves the application, whether this takes place via an explicit logout, or the user closes the browser window or navigates away from the application. There are many more specific recommendations that can be made, but those are the general answers to your questions that should apply to any Web app that you might be building. -j On 6/6/07, Vishal Garg <vishal () firstbase co uk> wrote:
Hi All, Can someone please tell what is the most secure way of sending login credentials to the server. The possible ways that I am familiar with are: - get method - post method - hidden form fields By using an encrypted connection we cannot sniff the credentials, but still it is very easy to capture or manipulate these credentials using a web proxy from any of these methods. So I am looking to find a method to transport the credentials to the server so that the security of these credentials can't be compromised even by deploying a web proxy. Also once a session id is generated, what is the best way to maintain the security of a session id. Any help would be much appreciated. Regards Vishal ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack AttacksHackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
Current thread:
- Login credentials and session id security Vishal Garg (Jun 06)
- Message not available
- Re: Login credentials and session id security Scott C. Sanchez (Jun 08)
- Message not available
- RE: Login credentials and session id security Ken Schaefer (Jun 08)
- Re: Login credentials and session id security AdityaK (Jun 08)
- Re: Login credentials and session id security Aman Raheja (Jun 08)
- Re: Login credentials and session id security Dean H. Saxe (Jun 08)
- Re: Login credentials and session id security Aman Raheja (Jun 10)
- Re: Login credentials and session id security Dean H. Saxe (Jun 08)
- Re: Login credentials and session id security James Landis (Jun 08)
- Re: Login credentials and session id security David Wall (Jun 10)
- Message not available
- Re: Login credentials and session id security Vishal Garg (Jun 08)
- Re: Login credentials and session id security matt farey (Jun 10)
- Re: Login credentials and session id security Scott C. Sanchez (Jun 10)
- Re: Login credentials and session id security James Landis (Jun 11)
- Re: Login credentials and session id security Vishal Garg (Jun 08)
- <Possible follow-ups>
- Re: Login credentials and session id security Shaon Diwakar (Jun 08)
- Re: Login credentials and session id security Shaon Diwakar (Jun 21)