In a message dated 7/30/00 7:33:41 AM Eastern Daylight Time,
[EMAIL PROTECTED] writes:
> > And, on top of that, I have emilinated session hijacking
> > (with a Back Button Breaking method).
>
> Can you enlighten me ?
A security method that will redirect the user to a relogin page if, for
instance,
they hit the browser's back button and then use navigation on the old pages.
Basically, while in a regular area, the links might be
http://192.168.1.100/cmp/about/about.html
and in the secure area there is a "?key=af65235cd773ae986"
tacked on the end.
Keys are transmitted over HTTPS only.
The key is transformed for each page request.
Once the key is added to the links, it is mandatory to be returned.
If it isn't the user is directed to reenter their password.
I've mapped out all the possibilites, and this method prevents any
serious bad effects from session hijacking, while leaving much of the site
free from slow HTTPS connections.
However, just like anywhere, if someone steals your plaintext cookie
or you send them the link with your Url munge in it, they can add
things to your shopping cart. However, and importantly, while
the user is in the secure area, the shopping cart is locked down, so
unless they have your password also, you never have to buy any of it.
