NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session Thoughts

felix zaslavskiy felix at students.poly.edu
Fri Oct 31 18:13:15 EST 2003


> 1. You should not try to make assumptions about what Amazon is doing.
> Rather, you should research what they are doing and find out for
> certain. Making guesses does not help you in any way, and you are
> probably wrong when you do so.
> 
Well if i had all the time in the world maybe i can figure out exactly how it works on Amazon but i dont have that interest.


> 2. You now have expanded your list of security methods to using SSL,
> asking for a password, and this weird session cookie/hidden form
> thing you are trying to explain. I suggest to you that there are even
> more methods and techniques being employed. In fact, there are many
> more. Don't assume things are so simple until you understand what is
> going on.
> 
Ok I am not going to disagree here.
One can make a long list of security methods. Another is to ask oneself weather any of the methods actualy add anything usefull.
Of the top of my head i can list these:
a. Use rewerite rules to hide variable names(seems like security by obscurity)
b. Check Referer Headers
c. You even said this check User-Agent Header
d. My guess on how amazone does it by hidden fileds (they may not do it i had not seen any such fields that may suggest that)
e. Somone suggested use transaction id and basicaly a hidded filed that changes on every form submit.

This list can go on but all these methods fail to protect against someone sniffing the TCP/IP connection. If they can see all the HTTP messages they can with time figure out how to get around all these methods. 

This is why i stressed the importantce of SSL as being primery importanse. SSL provides authentication(only of server usually), integrity and confidentiality. Something that all those other HTTP tricks cant offer. I would consider not using SSL as playing with fire and asking to be hacked.

The asking for a password again that only is ment to protect someon walking away from computer when they go on the site or if somone else sits at their computer. 




More information about the talk mailing list