Re: Oracle Web Application Server

Hi Tommy

> What we do:
> Normal web form asking for username and password, which sends back via
> https (secure sockets layer).
> If the pair is valid, generate a session id, and send that back as a
> cookie (or include in the URL if the user doesn't accept cookies). The
> cookie has no expiry date, so it's never stored on the users machine
> (it dies at the end of the session).
> Also make a note of the user's IP address.

> First thing we do in all code is check the session id (either as a
> parameter, or as a cookie), and validate that it comes from the right
> IP address.

> I can't think of any security holes in that that don't apply to other
> models too... and it does cover the problem I mentioned above (if it
> exists...)

I think the model you described is a good one, I also use a cookie that expires after the session ends. Also if security is breached your whole system is not compromised, only on a user to user account basis. If your user reports a violation you can then investigate the IP's from which his account has been logged in from. Not perfect, due to IP masking techniques, but then what is on the Internet.

The other nice thing about using seesion cookies, is that your cookies file can not be examined to see what cookies and values your site is sending.

And as far as I know it is not easy to program a session cooky into your browser.

-----== Posted via Deja News, The Leader in Internet Discussion ==----- http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum Received on Fri Jul 31 1998 - 01:29:32 CDT