At 17:15 14-8-2002, Dan Hardiker wrote: > > + <para> > > + Therefore, when dealing with sensative information, there should + > > always be additional methods to decide whether it is a valid + > > session. Sessions are <strong>not reliable</strong> as a secure + > > authentication mechanism. > > + </para> > >So if Im to write an online web-based banking system (either in Java/JSP, >PHP, ASP - whatever)... what method would you suggest that IS secure?
HTTPS and idealy kerberos and/or some calculator skey or irisscans. But the main culprit is that no sessions act as a deciding factor alone, just an alternate data storage method, that is quicker than a multi-joined query. If the session is invalid, create a new one and do the query again or display an error. No harm other than speed and usability, which in case of banking are of lower priority than security. Ultimately you can only identify a browser, never a person, so I would use a plugin that closes all browser windows after x minutes of inactivity, regardless of sessions, but at some point the responsibility stops and the end-user is to blame. The main problems I see though, are with shopping carts. These can reveal whether someone is on prozac for instance. The cart is a session variable and with 99% of the shops no authentiation has taken place, when creating a cart. This is only done, when people are checking out and proceeding to the order form. Most of them, don't even encode the order form, but only the billing. At 16:23 14-8-2002, Stefan Esser wrote: >I do not understand the sense of this whole discussion. >HTTP is a plaintext protocol. So nothing transfered over HTTP can be secure. >No urls, no session no anything. Yes. So we either advise nothing or correctly, which is what the discussion boiled down to. Met vriendelijke groeten / With kind regards, Webmaster IDG.nl Melvyn Sopacua -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
