Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - Why Is Slashdot Session Management Insecure (slashdot.org)

al0ha writes: Why is it that Slashdot session management is insecure? If you force HTTPS during login, then session cookies are set for encrypted sessions only, so for the rest of the site you are not logged in. If you login over insecure HTTP, then the session cookies are set for any connection.

This is totally lame and makes session hijacking via FireSheep simple, as well as credential sniffing on the wire and wireless.

How Geeky can Geeknet be if they can't even handle session management appropriately?

The password change page and login pages should be protected by HTTPS. Then session cookies appropriate for general content, or privileged content (like changing account information) should be set where privileged content always runs over HTTPS.

Slashdot Top Deals

There must be more to life than having everything. -- Maurice Sendak

Working...