Session security

Michael Bull mbull@uoguelph.ca
Wed, 10 Jan 2001 18:27:10 -0500

Previous message: [dev] PHP 4.0.5
Next message: [dev] PHP 4.0.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chuck, awhile back in a discussion on how secure session cookies were, you 
said the following:

 > Security: IMP encrypts the password before putting it into the session 
store
 > (file, database, shared memory), using a key which is either stored in a 
cookie
 > (relatively secure, and very secure if you are using SSL) or based on some
 > simple information if you have cookies disabled (guessable, but better than
 > nothing).

Just to revisit this...

What is the security implication of SSL to the cookies?  Do they get 
encrypted using the site's encryption key?
Does this have any ability to prevent cross-site scripting attacks from 
stealing session cookies, either through javascript that comes through a 
IMP site that enabled HTML e-mail, or via an external link a user activates 
while in IMP?


Thanks for your time on this.

Previous message: [dev] PHP 4.0.5
Next message: [dev] PHP 4.0.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]