Re: Safe session IDs (How about Hijacking)

From: Giorgio Zoppi (gzppiat_private)
Date: Fri Jan 11 2002 - 17:42:29 PST

Next message: Valdis.Kletnieksat_private: "Re: Safe session IDs"

Previous message: Gene Gotimer: "Re: Safe session IDs"
In reply to: Ryan M Harris: "Re: Safe session IDs (How about Hijacking)"
Next in thread: Ryan M Harris: "Re: Safe session IDs (Summary)"
Next in thread: Thomas Jespersen: "Re: Safe session IDs"
Next in thread: Josh Daymont: "URL for Yarrow PRNG"
Reply: Ryan M Harris: "Re: Safe session IDs (Summary)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 11, 2002 at 04:13:36PM -0500, Ryan M Harris wrote:
> Ooh, and here's a good question.  Once I get it to the client, how can I
> make sure that it wasn't hijacked via man-in-the-middle or a sniffer on the
> client end?

First of all, you should read

Does and Dont's of Web autentication by Web by Kevin Fu
placed at
http://cookies.lcs.mit.edu/pubs/webauth.html

In that document there's a simple  way,
which include the use of HMAC_SHA1 (with PHP you've the choice to
use mhash lib or openssl) and SSL.

----------------------------------------------------------------------------------
Giorgio Zoppi		| James Bond Log Project				 |
gzoppiat_private	| http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/bondlog |
denebat_private	|							 |
----------------------------------------------------------------------------------

Next message: Valdis.Kletnieksat_private: "Re: Safe session IDs"
Previous message: Gene Gotimer: "Re: Safe session IDs"
In reply to: Ryan M Harris: "Re: Safe session IDs (How about Hijacking)"
Next in thread: Ryan M Harris: "Re: Safe session IDs (Summary)"
Next in thread: Thomas Jespersen: "Re: Safe session IDs"
Next in thread: Josh Daymont: "URL for Yarrow PRNG"
Reply: Ryan M Harris: "Re: Safe session IDs (Summary)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 12 2002 - 08:21:57 PST