Dervis Cokbilir wrote:
> >When using cookies, the session ID is just as easy to
> >grab, because it is sent in every request.
> >Being "invisible" doesn't make it any more secure.
>
> I know, I also don't like that (storing this in cookies), it seems
> unsecure.
>
> >can cut down lots of potential problems. But, the
> >more secure protection would be encryption -- then,
> >snooping the session ID in the first place becomes
> >much more difficult.
>
> IP is a very good solution I guess, but I would like to ensure that by
> encrypting the session ID.
> Do you know how I can encrypt this session ID in java ? Do you know any
> java class/method that does this ?
>
Encrypting the session ID isn't going to do any good -- it was sent from the
server to the browser in the first place, and as far as the browser is
concerned it's just a cookie, with nothing special. All it knows how to do is
send the cookie back again when transmiting requests to the same host.
Checking the IP is only a *partial* solution -- if your hacker is running on
the same computer, then the requests are coming from the same IP address.
It's also possible for a determined hacker to spoof the IP address they are
coming from, but this takes a fair amount of effort.
>
> Thanks ...
>
Encrypting the session ID also doesn't help much if the hacker is
eavesdropping on your session (which someone in between the client and your
server can do with a reasonably smart packet sniffer), and they see all of
your sensitive data displayed in the nicely formatted HTML pages created by
your servlets.
If your web server supports SSL, everything is taken care of for you, in a
manner that is totally transparent to your servlets. Then, all of the
HTTP headers and data are encrypted (including the session ID). That's why
reputable e-commerce sites use this when they ask you for your credit card
information. If the app isn't sensitive enough to warrant this level of
protection, it's probably not worth any "half baked" efforts like encrypting
just the session identifier either.
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
