Geoff Talvola <[EMAIL PROTECTED]> wrote: > I could write a program that keeps on trying random session IDs with the > date/time part of the session ID set to a couple of minutes ago, so the > session is likely to still be around. It might take hundreds of thousands > of tries but it would eventually find a valid session ID, especially on a > site that gets a lot of traffic and therefore has a lot of new sessions > getting created all the time.
OTOH, if you have a lot of traffic, the security for the bulk of those users probably isn't a big deal. Maybe Hotmail has to worry about this (a bit), but few other sites. Usually there's only a relatively small number of people who have enough privileges to matter much. Simply distributing the passwords to large numbers of users is very insecure anyway. Self-registration implies that the user has built their privilege up after registration -- usually by creating some sort of content afterwords. This is how I'd classify Hotmail. Things like credit card numbers -- easy to put on the site, highly privileged -- should really be deleted anyway. I still can't believe my fucking bank thinks my social security number is a good enough form of authentication. Or worse, just the last four digits. It's a goddamned disgrace. So while we might think "except for banks, this should be good enough" banks think even less security is good enough. Ian _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
