Re: Login credentials and session id security

[Shaon Diwakar <shaon.diwakar () yahoo com au>]

Hi Vishal,

As far as I am aware - no method is fool proof - however some steps I've seen apps use have been to use a Javascript 
library  to hash the password (and adding a salt) before transmission and/or also using two factor authentication such 
as an secure ID token. You can get a lot of great ideas by looking at popular web-sites, such as Google or Yahoo's 
logon pages and putting them through a proxy such as webscarab or burp. 

The aim is to secure the web application such that a users session ID is transmitted securely between the application 
server and the users browser; which is why it is important that you do everything you can to secure that users session 
ID - i.e. check for cross site scripting, SQL injection, cross frame scripting etc. Therefore the developers of the app 
must do all they can to follow secure coding guidelines (the OWASP guide is a great reference).

Cheers,
sHz

----- Original Message ----
From: Vishal Garg <vishal () firstbase co uk>
To: webappsec () securityfocus com
Sent: Wednesday, 6 June, 2007 7:41:53 PM
Subject: Login credentials and session id security

Hi All,

Can someone please tell what is the most secure way of sending login 
credentials to the server. The possible ways that I am familiar with are:

- get method
- post method
- hidden form fields

By using an encrypted connection we cannot sniff the credentials, but 
still it is very easy to capture or manipulate these credentials 
using a web proxy from any of these methods. So I am looking to find 
a method to transport the credentials to the server so that the 
security of these credentials can't be compromised even by deploying 
a web proxy.

Also once a session id is generated, what is the best way to maintain 
the security of a session id.

Any help would be much appreciated.

Regards
Vishal


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------





-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------