I would be most grateful if some of you guys could weigh in on this. I'm trying to implement a secure and solid sessions strategy on an e-commerce website, and I've tried to summarize my current understanding below with some additional questions, both high and low level.


This would also be quite beneficial for everybody in the same situation in the future, as our discussion will be logged in the archives for posterity. :-)

Thanks,

Sonny

From: "Sonny Sukumar" <[EMAIL PROTECTED]>

Hey all,

Antonio brought up some good points (in line below) which made me really think, and so the following is my current understanding of how sessions should be implemented with some additional questions I thought of along the way. Again, please consider my thoughts in the context of a B2C e-commerce site....

--I think we agree that, although URL encoding has its pitfalls, it is an option that should be provided for generally browsing the B2C e-commerce website (product pages and the like) but not for viewing pages with sensitive information (like account detail pages and checkout pages).

It should be provided for browsing because it is, in a way, asking too much to force a customer to enable session cookies just to browse, when there's no tangible benefit to the customer. For viewing sensitive pages, on the other hand, the tangible benefit is security and ease of use.

--Why ease of use? I mentioned this because I think sufficient security *can* be provided for sensitive pages using URL encoding, but it would require a customer to log in *every* time she requests a protected page. This is because links can easily be copied to friends and by other means, which exposes the session ID and hence the session, so every single request must be treated like a potential Black Hat is trying to hijack the session and steal precious data. This seems too tedious for anybody to bear.

With a session cookie, on the other hand, the session ID isn't going to wind up in web server logs, in plain text in the URL textbox at the top of the browser window, getting copied to friends and posted on discussion boards, etc. It is simply stored in RAM on a single customer's computer and is exposed only when being sent for each request.

--Granted, this is still a significant risk, as the cookie could rather easily be captured if not encrypted, so an SSL connection is in order. But this seems to be a moot point because the connection should be encrypted anyway after logging into a protected part of the site. So the same encryption that protects the sensitive form/document data being sent back and forth will also protect the HTTP request header containing the cookie, from what I understand about SSL. (It does encrypt the whole HTTP packet, right?)

--Antonio also raised the issue of whether to store data like a credit card number in the session, stating that it'd probably be better stored in the database and fetched later. I

a.) It's slow (have to go to backend server + get data from disk vs. reading from memory on front end server).
b.) Since we have no way of knowing when a customer closes her browser and stops shopping (terminating her session), how would we expunge this data from the database in a timely manner?
c.) Our current policy is to never store a full credit card number in the database, but only the last 4 digits and this only after the transaction is processed and goes through. Rather, we just store the number in the session so we can later send it to the payment processor (over another SSL connection)
d.) If we're still fetching the data based upon a session ID, it seems like a moot point to talk about where to store the data. Rather, it seems the question of how to protect the session ID is still the crucial issue.


Despite the thoughts I listed above, I'd be interested to hear all your thoughts on this, as I could very well be missing things.

--Another question: When switching from URL encoding to using a session cookie or vice versa during the *same* session, is the same session ID used?

If so, then let's say a customer came to the site with session cookies disabled and browsed around for awhile using URL encoding. Say she copied links to a few of her friends (containing her session ID, of course) and now she goes to checkout. She discovers she needs to enable session cookies to log in and does so. Now she goes about entering sensitive personal info which is to be stored in the session.

However, if her session ID is still the same as it was when using URL encoding, then the SSL protection for the cookie being sent back and forth is worthless. Or am I missing something here?

--Using URL encoding for general browsing still exposes one's shopping cart to being seen and being changed since logging in isn't currently required to view/change the cart. Ideally, I'd like the cart to be protected as well so each customer has a truly private experience, whether URL encoding or session cookies are being used.

Thoughts on what to do here?

--While I think the idea of requiring session cookies enabled to log in is a good one, how does one implement it? I mean, how can one programmatically tell if session cookies are enabled and prohibit logging in if they are not?

As always, I welcome everybody to share any insights they'd like to.

Thanks,

Sonny


From: "Antonio Gallardo" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
Subject: Re: Need Session Help!
Date: Wed, 24 Sep 2003 17:49:15 -0600 (CST)

Sonny Sukumar dijo:
>
> Hi guys,
>
> I know I've brought up some session questions before, and I gained great
> insight from those discussions, but there's some issues I want to
> understand better before I make implementation decisions. Assume the
> context of a B2C e-commerce site when considering these issues....
>
> ---Assume URL encoding is being used because a customer has all cookies
> turned
> off.
>
> 1.) Customer puts a few items in her shopping cart.
> 2.) Customer logs in to view some account details.
> 3.) Customer then sees her friend on IM and copies a product page URL to
> her friend. This URL contains her session ID.
> 4.) The friend clicks on the link and views the product page. However,
> she now can click on "My Account" or whatever or "My Cart", and because
> she'll appear to be the first customer (she has the same session ID),
> she can view all the personal details she shouldn't be able to.


Yep. This is the cruel true. Some systems does not allow people to LogIn
if they have not cokies enable (SquirrelMail is one of them).

> What's the best way to go here? I'm thinking that if
> A.) a given page allows URL encoding to be used and
> B.) it contains *any* sensitive info that shouldn't be seen even if the
> URL is
> copied and
> C.) even if the customer is already logged in
>
> then the customer should have to log in to see that page every time that
> page
> is requested. This seems like a hard policy to implement though (and
> tedious
> for the customer), and I don't see any support for it in the Auth
> Framework.


Auth-FW use the session-FW. If you does not give the
jsessionid=277C6FCB22B55AAF661F381AA867FC73 then the "friend" will need to
LogIn too.

Some sites allow you to post the links to friends with or without cokies,
but when you decide to checkout you need to write your password again.
This can be one solution.

> After all, if you have the session ID and the
> "authentication" context is in the session, then you're considered
> logged in.  And with URL encoding, anybody could go and view your
> account details.

Yep. For the time the session is valid.

>
> So I don't like URL encoding. :-) However, I'm worried about losing
> customers
> who don't have cookies turned on and I notice that most major e-commerce
> sites allow URL encoding. What would you do?
>
> --Should I ever allow URL encoding during the secure checkout process?


The answer is above for URL encoding: The user must reenter the password.
>
> In theory it seems like if I'm storing a super sensitive piece of data
> like  a
> credit card number in the session, then I wouldn't want the session ID
> being so visible as it is when in the URL textbox at the top of the
> browser  window.

No, I think the session cannot have too many info. All this info must be
stored in a database and picked from there just only when you need it. It
is not fine to let credit card info "fly" into the internet with no sense.

> URLs are also often stored in web server logs and other places, and if
> it contains the session ID this can spell trouble because there's a
> "window of vulnerability".  Our session timeout is set to 4 hours, so
> that's 4 hours during which somebody could access that sensitive info.

I agree, but the window will be smaller if the user need to reenter the
password.

>
> On the other hand, if pages coming before the checkout allow URL
> encoding and
> the checkout process doesn't, then that gives the impression that the
> site will always work even with session cookies turned off. Then the
> customer finally finds what she wants, puts it in her cart, and heads to
> checkout--only to find that she needs to have cookies enabled!


> I'm not
> sure that's the best way to go, although it can be argued from a
> security perspective (but customers are emotional and won't consider
> technical/security aspects for a second).

I think with the increments of e-frauds they are really concerning about
this. Many people often ask me about if is secure buy in the Net. Also
they also are concerned if they can trust in the site. OK, this is just my
view of the situation.

Often some people ask me to be there when they will buy, just to be sure
all will be OK and they will not give away more info that needed.

Media are helping us in this arena. I think people is getting into the
e-commerce slowly, becuse they know, there can be problems and they dont
want to pay a bill from a e-fraud.

> --If URL encoding was being used on a previous page, and then now (say 5
> minutes later, or sometime later that still comes before the session
> times out) session cookies are enabled, would it still be possible to
> use the previously encoded session ID to access the session? Or would
> Tomcat destroy
> that session ID key as soon as it recognizes it can use cookies?


Dont know.

> For example, if my encoded session ID was "ABCD" (just an example!), and
> now I
> turn on cookies so the next page I request has no more encoded session
> ID, can I still somehow use that session ID to access the session?
>
> My guess is no, but I thought I'd ask.


Good question.
>
> --I'm also pretty sure about this, but I thought I'd ask this too... :-)
>
> Just because somebody gets ahold of the session ID, there's no possible
> way for them to *actually* access the session is there? I mean, they'd
> have to rely on requesting a page that happens to hand over that
> sensitive info stored in the session, right?


Yep. The session info is stored in the server. The session ID is just a
handler to this info.

> Again, I'm fairly sure they can't actually fetch the Java objects, or
> even read the bytes out of server memory, but it's almost a moot point
> since  pages
> are always going to exist to serve up that info.  Otherwise the info
> wouldn't
> be stored in the session in the first place. :-/
>
> Thanks for your help and insights,

Thanks for this interesting discusion.

Antonio Gallardo.




--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]


_________________________________________________________________
Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com



--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]


_________________________________________________________________
Instant message in style with MSN Messenger 6.0. Download it now FREE! http://msnmessenger-download.com



--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]



Reply via email to