Quoting Chris Travers <chris@travelamericas.com>:
> From: "Keith C. Perry" <netadmin@vcsn.com>
> > Using an MD5 hash to
> > "hide" them will slow your app down by some delta and not protect your
> > connection. Granted garbling that id with a password is somewhat more
> secure
> > but your connection could still be attacked or even hijacked.
> >
> > In the URL's you gave above, why are you not using HTTPS (i.e.
> authentication)?
> > What about using a crytographic cookies to identify your session and link
> that
> > to you userid (after authorization)?
>
> Https I can see. I am having difficulty understanding how you could use
> cryptographic cookies to prevent session hijacking though given the current
> setup.
Cryptographic cookies are actually how TCP SYN flood protection is done on Linux
and I think Solaris so in my case the OS is handling that. What is implemented
there could be implemented at the application layer but I don't think that
becomes valid once you are using HTTPS since is provide similar facilities.
In my applications, I simply have Apache push a cookie to the browser (during
authorization) which is then used as the session key. Additionally, I almost
always use POST methods instead of GET (I hate exposing application logic that
way). Ever time a user does something, the presence of that cookie is checked
in the database.
> Also you could use ssl between the web server and PostgreSQL to
> secure that connection.
True but that is only half the story. You're client interface is what is
public. I would SSL the web <--> db connection as a standard but I would be
less concerned about (what I'm assumming is) a local connection behind the DMZ.
> As a side question: Does PostgreSQL support using Kerberos for encrypted
> connections (beyond authentication), or do you need to use SSL for that?
>
> Best Wishes,
> Chris Travers
>
Not sure about that one but if so, I'm sure someone will speak up :)
--
Keith C. Perry, MS E.E.
Director of Networks & Applications
VCSN, Inc.
http://vcsn.com
____________________________________
This email account is being host by:
VCSN, Inc : http://vcsn.com