I know SO isn't traditionally used this way (or maybe it is), but I've been learning about webapp security and was thinking it would be nice and encouraging to hear from SO experts what they think of this article (I'm reading it now, it's on session securi开发者_JAVA百科ty).
http://carsonified.com/blog/dev/how-to-create-bulletproof-sessions/
Maybe we can have a discussion of some kind, point out what the author misstated/forgot and what better practices are there?
For example when it comes to a different security topic like sql injections, many people recommend things like mysql_real_escape_strings, but the experts will tell you that nothing beats prepared statements. From the comments, this article seems to have its problems, so I'm wondering how far on the good or bad side his content is.
I think the article is quite nice, however these are just the basic concepts and if somebody seriously tries to make a serious security aware application, things like this will be addressed. In other words, the level of the article is quite low.
Issues like a man-in-the-middle attack are not addressed here (although i can imagine that something like this is usually outside the scope of the application layer). Another possible vulnerability can be random number generation. So depending on the implementation of session key generation, the entropy of the session keys could be much lower as the maximum possible entropy which may or may not make brute force attacks feasible.
So it really depends on the security requirements you have how the solution will be, there is no single security solution that works in all cases. To apply the latter, imagine that you've got a valid session id and you know to which ip the session is bound. Also assume that the target in this example is a bank. Now i can perform a request to transfer money to my account, and make this work by spoofing my ip-address and providing the stolen session. Ok, the reply of my request will never arrive since the IP address is spoofed, but who cares, I got the money since the server accepted my request.
The point is that depending on the context, your security requirements and thus your security solution(s) may greatly vary.
精彩评论