Sessionbased logins, how secure?
Ive used session cookies for making login thingies in both ASP, PHP and JSP. (When security was important I always used whatever features the server provided for this purpose, so I never even wondered about how secure the manual session thingy is.)
Good question, I would really like to see the opinions. Is there any other way (except session based) available ?
A setup as you have described is extremely vulnerable unless you are using TLS.
You can add some simple things to increase the security of using session cookies, like storing and validating the IP address and other client-side information (browser verison, OS version, etc.). These things are easily compared.
Brad Wilson (dotnetguy.techieswithcats.com)
I think the setup described is simple and robust.
"You can add some simple things to increase the security of using session cookies, like storing and validating the IP address and other client-side information (browser verison, OS version, etc.). These things are easily compared."
Someone who can hijack your session cookie can just as easily fake browser and os version strings. Faking the IP address of the client should be harder, but I really don't have a good idea how much more secure this makes it.
So what I gather is:
Coding to IP Address can be a tricky thing. With AOL clients the IP Address can change several times within a session. I am also seeing this same action with some of our Bell South users in central and southern Florida.
Any idea what causes requests in the same session to come from different IP addresses? Some sort of load balanced web proxy?
From AOL, I can only assume that a load balancer is the problem. From Bell South I have been told it is done to mess with people that share their connection. My Comcast DHCP address is changed every night around midnight well before the address expires. Every now and then it tricks up my Linksys and I have to restart it.
Fog Creek Home