php - Switching between HTTP and HTTPS pages with secure session-cookie -

-

update: note every website switching between unsecure http , encrypted https pages, inevitable prone ssl-strip. please think using https whole site, although neither can prevent ssl-strip, @ least gives user possibility call site safely, if cares. sites need switch, method still best option.

it's common scenario, website has pages sensitive data, should accessed https protocoll, , other ones noncritical data.

i found solution allows switching between secure , non secure pages, while keeping session , ask hints flaws in concept. whole article can find here: secure session cookie ssl (of course i'm happy hear, safe).

the problem

https makes sure, nobody between client , server can eavesdrop our communication , prevents man-in-the-middle attack. unfortunately doesn't apply session-cookie, sent unencrypted requests too.

php offers function session_set_cookie_params(...) parameter $secure. need, leaves problem loose our session, when switch unsecure page.

the authentication cookie

the idea of authentication cookie is, when user enters password (increases access privileges), create second cookie additionally unsecure session-cookie, , make sure encrypted https pages have access it.

https://www.example.com/login.php  <?php   session_start();   // regenerate session id make session fixation more difficult   session_regenerate_id(true);    // generate random code authentication cookie , store in session   $authcode = md5(uniqid(mt_rand(), true));   $_session['authentication'] = $authcode;    // create authentication cookie, , restrict https pages   setcookie('authentication', $authcode, 0, '/', '', true, true);    print('<h1>login</h1>');   ... ?>

now every page (https , http) can read unsecure session-cookie, pages sensitive information can check secure authentication cookie.

https://www.example.com/secret.php  <?php   session_start();    // check authentication cookie exists, ,   // contains same code stored in session.   $pageissecure = (!empty($_cookie['authentication']))     && ($_cookie['authentication'] === $_session['authentication']);    if (!$pageissecure)   {     // not display page, redirect login page   }    ... ?>

an attacker manipulate session cookie, never has access authentication cookie. person entered password, can own authentication cookie, it's sent on encrypted https connections.

thanks lot every answer!

a simpler alternative: becoming increasingly accepted alternative use tls time, rather switching , forth between secure , unsecure connections. bulk of additional processing time spent setting secure tunnel, done once , cached (typically). symmetric encryption of subsequent traffic very, fast on modern processors. it's out-of-date thinking believe cause server overhead or scalability issue.

in recent blog post, google engineer reported when switched https-only gmail, found server overheard increased 4%. (can't find citation.)


Comments

Post a Comment

Popular posts from this blog

objective c - Change font of selected text in UITextView -

-
can suggest me how change font of selected text in uitextview.i cannot use uiwebview since have edit text. have seen pages app.how possible in app. see formatting text within uilabel differently . since need editing, should @ javascript-based editors such ckeditor or tinymce . highly recommend wwdc 2011 video session 511: "rich text editing in safari on ios."
Read more

php - Accessing POST data in Facebook cavas app -

-
so i've got simple form in canvas / iframe facebook app, , i'm trying pass along values post. reading on s.o. , fb's latest docs, understand it, data send via post form can accessed on receiving end $_request object. i read on thread on s.o. in order post forms work need pass along input named "signed_request" value current signed_request (i have signed request working ok otherwise...all login , authentication stuff working fine). isnt mentioned anywhere in official fb docs. so problem comes in $_request object signed request, , bunch of other session stuff. form inputs found. the way can read them set method of form "request" isn't real form method. takes of inputs , sends them args in url. horrible. here's sample page canvas app form i'm using try debug (leaving out authentication stuff): <form enctype="application/x-www-form-urlencoded" method="post" target="_top" id="my_form" action=...
Read more

c# - Getting control value when switching a view as part of a multiview -

-
i have following code in aspx page: <asp:button id="display_button" runat="server" text="display" onclick="button1_click" /> &nbsp; <asp:button id="edit_button" runat="server" text="edit" onclick="button2_click" /> &nbsp; <asp:button id="save_button" runat="server" text="save" onclick="button3_click" visible="false" /> &nbsp; <asp:multiview id="multiview1" runat="server" activeviewindex="0"> <asp:view id="view1" runat="server"> <asp:formview id="view_program" runat="server"> <itemtemplate> <%# eval("status").tostring().trim() %> </itemtemplate> </asp:formview> </asp:view> <asp:view id="view2" runat="server"> ...
Read more