[EMAIL PROTECTED] wrote:
>
> In a message dated 7/30/00 7:33:41 AM Eastern Daylight Time,
> [EMAIL PROTECTED] writes:
>
> > > And, on top of that, I have emilinated session hijacking
> > > (with a Back Button Breaking method).
> >
> > Can you enlighten me ?
>
> A security method that will redirect the user to a relogin page if, for
> instance,
> they hit the browser's back button and then use navigation on the old pages.
>
> Basically, while in a regular area, the links might be
> http://192.168.1.100/cmp/about/about.html
> and in the secure area there is a "?key=af65235cd773ae986"
> tacked on the end.
> Keys are transmitted over HTTPS only.
> The key is transformed for each page request.
>
> Once the key is added to the links, it is mandatory to be returned.
> If it isn't the user is directed to reenter their password.
>
> I've mapped out all the possibilites, and this method prevents any
> serious bad effects from session hijacking, while leaving much of the site
> free from slow HTTPS connections.
>
> However, just like anywhere, if someone steals your plaintext cookie
> or you send them the link with your Url munge in it, they can add
> things to your shopping cart. However, and importantly, while
> the user is in the secure area, the shopping cart is locked down, so
> unless they have your password also, you never have to buy any of it.
Thanks for that.
Greg
