Session Cookies and SSL

PHP has an option to force secure cookies to be set within the web .. … There is a short video tutorial that shows how to surf jacket. ….

More PDF Content

Session Cookies and SSL
1 Introduction
2 Protocols
2.1 ISO / OSI layer model …5
2.2 Transmission Control Protocol …6
2.3 Hypertext Transfer Protocol (HTTP) …6
2.3.1 HTML Forms, GET and POST data …7
2.3.2 Cookies …8
2.3.3 Cookies for sessions …8
2.4 SSL / TLS and HTTPS …9
2.4.1 SSL connections on a cryptographic level …9
2.4.2 Certificates …9
3 Attacks on Sessions
3.1 Sniffing … 10
3.2 Session hijacking … 11
3.3 Forwarding traffic to SSL … 11
4 An attack on SSL-secured sessions
4.1 Publications about SSL-Session hijacking … 12
4.2 Disabling HTTP will not help … 12
4.3 HTTP basic access authentication (HTTP auth) … 13
4.4 Attack step by step … 13
4.5 Solution: Code example in PHP … 15
4.6 Hybrid solution … 15
5 Examples
5.1 Menalto Gallery, Mantis, Squirrelmail … 16
5.2 Drupal … 16
5.3 Serendipity … 17
5.4 WordPress … 17
5.5 eBay … 18
5.6 Other examples for attacks against sessions … 18
5.6.1 Cross Site Scripting (XSS) … 18
5.6.2 Cross Site Request Forgery (CSRF) … 19
6 Conclusion
6.1 Severity … 20
6.2 Measurements … 20
6.3 An alternative to HTTP? … 20
A Used tools
A.1 CookieMonster extension for Firefox … 21
A.2 Add N Edit Cookies (AnEC) extension for Firefox … 22
A.3 Wireshark … 22
A.4 surfjack … 22

Download Session Cookies and SSL pdf from www.hboeck.de, 24 pages, 316.28KB.
Related Books

Leave a Reply