Disclaimer: the following is all "to the best of my knowledge". Take it for what it's worth.
On 8-Nov-04, at 9:27 AM, Martin Moss wrote:
so therefore I wonder if I can use this, e.g. map my session_id to a UUID, and then when I check the session is valid I crosscheck this, however I'm not sure if I can get the UUID over a non-SSL connection.
Assuming you're talking about the SSL session-id, that is only available over an SSL connection. Even with SSL connections, there is actually nothing stopping the client from opening more than one SSL connection and therefore having more than one SSL connection-id. So that seems to me like a dead end.
I'm sure I'm not the first person to want to uniquely identify a computer that comes to my site, without blindly trusting cookies, but I'm at a loss of how to find anything better than ipaddress to session cookie mapping. (which is kinda pointless for Natted addresses I know).
It is very hard to trust anything that comes in over a non-ssl connection. If you are concerned about security, I'd recommend using ssl consistently throughout the session. This will at least deal with the case where cookies are stolen by monitoring the connection (assuming you've taken adequate care to avoid man-in-the-middle attacks).
Stealing a session cookie from the client's cookie jar is harder to protect against. On the other hand, it is perhaps not so easy to do. One might think that a security-conscious browser would not commit session cookies to disk, but I don't know which (if any) browsers do this (and in any event, it may be possible to snatch them out of memory, or through some XSS hack.)
All the same, session cookies with SSL are a reasonably secure mechanism; "good enough" unless you are running a site which requires a very high degree of security. In the latter case, you probably want to investigate client SSL certificates and/or other high-grade security solutions.
-- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
