Then it's my base: A web application has an original homepage that allows users to register or login. When a user logs in (on an SSL connection) the credentials have been transferred securely between the client and the server being verified. How successful is the server on successful verification of credentials that an incoming connection is the same certified user and not anyone else?
For a more specific example, suppose the server sends the authentication token back to the user's use when the personal data is accessed or modified wherever this token is stored (i.e.: cookies Not safe), php session (not familiar with this), or elsewhere) as soon as the user accesses his information and post (or bad GET) with the token on the server, then use that token to use that token Can be Uncne when the token is not valid. Should personal information be issued every time, so that the hearing parties can be stepped up one step and reach the old token?
What are the ways to get the server to know that the request is from a certified user and whether the parties are denied access to their account?
Just change your session ID, or token, or whatever, will not help you use it It would be easy to automate.
You have step # 1 ... using SSL. Previously it helps to prevent anyone from receiving the data.
You should also track the client IP address on the server, so that if you request a specific session and do not match the IP, then You know now that there is no spoofing or the user has a new address, in which they must be re-certified.
There are many other methods I have seen something around stack overflow, I will post them here as I have searched for them, but it is best to use a combination of techniques.
Comments
Post a Comment