Re: Login credentials and session id security

["James Landis" <jcl24 () cornell edu>]

Vishal,
You should always use the POST method when sending sensitive
information via HTTP. Hidden fields are not an alternative to POST or
GET. Ideally, the server should also respond to each POST request with
a 30x as opposed to a 200.

You cannot prevent a user from "deploying a Web proxy" to intercept
their own HTTP requests, but why are you worried about your end users
viewing credentials that they themselves have entered? The
authentication features built into SSL prevent an attacker from
setting up a Web proxy which will allow them to view the credentials
of others. Even if the attacker is successful at tricking the user
into setting up a tunnel which terminates on the attacker's proxy, the
end user will be warned that the certificate does not match that of
the target domain provided by their CA.

Session IDs should always be sent to the client using session cookies
with the Secure flag set, the HTTPOnly flag set (if the browser
supports it), and path and domain parameters limited as strictly as
possible. In an ideal world, the session ID is destroyed and a new one
is sent to the client after only a single use. However, this is
usually not practical. Sane limits on session expiration should be set
including a short inactivity timeout and an absolute timeout. These
timeouts should both be as short as possible without negatively
impacting user experience. Session IDs should not be generated and
sent to the client until after a successful authentication has taken
place. Session IDs should be destroyed and new IDs created whenever
the privilege level associated with the session changes. Session IDs
should be explicitly terminated whenever the user leaves the
application, whether this takes place via an explicit logout, or the
user closes the browser window or navigates away from the application.

There are many more specific recommendations that can be made, but
those are the general answers to your questions that should apply to
any Web app that you might be building.

-j

On 6/6/07, Vishal Garg <vishal () firstbase co uk> wrote:
> Hi All,
>
> Can someone please tell what is the most secure way of sending login
> credentials to the server. The possible ways that I am familiar with are:
>
> - get method
> - post method
> - hidden form fields
>
> By using an encrypted connection we cannot sniff the credentials, but
> still it is very easy to capture or manipulate these credentials
> using a web proxy from any of these methods. So I am looking to find
> a method to transport the credentials to the server so that the
> security of these credentials can't be compromised even by deploying
> a web proxy.
>
> Also once a session id is generated, what is the best way to maintain
> the security of a session id.
>
> Any help would be much appreciated.
>
> Regards
> Vishal
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing business online
> despite security executives' efforts to prevent malicious attacks. This
> whitepaper identifies the most common methods of attacks that we have seen,
> and outlines a guideline for developing secure web applications.
> Download today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
> --------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------