As
I understand, if I use SSL / HTTPS, cookies and session IDs as plain text on the wire Do not do it. An assistant can use packet sniffer to get their hands on this How can I secure it without using SSL / HTTPS? I anticipate that in order to take care of this solution, the customer will have to do something between both sides and the server side. My server side is Java.
You can use something to encrypt cookies before sending them. Instead of a session identifier, you can use the requested IP address, or some other identifier, which is typically 100% specific to the user.
Therefore, to set this up, you create a server key The fact is that it includes session identifier (SSL is best, but IP can possibly serve) means that the attacks again Is immune to running or abduction of attacks. The SSL will be the best, but you can achieve a very good system by using the encryption scheme in this way. This plan will have to be linked with SSL, which in turn prevents all types of ethnicities (MITM tampering, but other MITM attacks) ... K . After this, you create the cookie as follows:
keyhmac = HMAC (user name + end time, k) encrypted = ENCRYPT (data, kimanac) hmacenc = HMAC (user name + end) Time + data + session identifier, keymac) cookie = username + end time + encrypted + hmcc; Then, you can decrypt it later using the reverse process HMAC confirms that it was not compromised on your server (assuming that k is really confidential) ...
Comments
Post a Comment