WebApp Sec mailing list archives
Re: Encrypted URL
From: gcb33 () dial pipex com
Date: Sat, 31 Jan 2004 07:48:18 +0000
Encrypting URL adds another layer of security to web apps, we use it in banking applications , as the application uses URL rewrites it was easy to add on top. The entire URL is encryped, with a random key for each page requested. We don't use GET as it is all POST's Data submitted by the user. This solves:- Retry sessions: If the use was able to copy a past a previous URL into another browser will not work the key has been lost and the session will be killed automatically. Back button same again or Ctrl-N refresh. Second it stops alot of process flow jumping within the site ie. in Brokeage Buy, Order , Sell, and the same with Corporate banking systems. It also hides the path that pages are on all you see is one long encrypted URL, and makes it harder for the person to guess what Application server you are running on with. We have two keys in this approach. One key is used to do the URL Rewrites seed from the web server themselves. Another key is created randonmly per page for each user request which is mapped into the session state database on application server, Please note this approach we can turn on or off for testing to make sure that the application server can still handle the session state of the user within the site without relying on the 2nd key. James --
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- Re: Encrypted URL Fred van Engen (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Brecrost Jones (Feb 02)