Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Submission + - Why Is Slashdot Session Management Insecure (slashdot.org)

al0ha writes: Why is it that Slashdot session management is insecure? If you force HTTPS during login, then session cookies are set for encrypted sessions only, so for the rest of the site you are not logged in. If you login over insecure HTTP, then the session cookies are set for any connection.

This is totally lame and makes session hijacking via FireSheep simple, as well as credential sniffing on the wire and wireless.

How Geeky can Geeknet be if they can't even handle session management appropriately?

The password change page and login pages should be protected by HTTPS. Then session cookies appropriate for general content, or privileged content (like changing account information) should be set where privileged content always runs over HTTPS.

Slashdot Top Deals

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...