Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Submission + - Why Is Slashdot Session Management Insecure (slashdot.org)

al0ha writes: Why is it that Slashdot session management is insecure? If you force HTTPS during login, then session cookies are set for encrypted sessions only, so for the rest of the site you are not logged in. If you login over insecure HTTP, then the session cookies are set for any connection.

This is totally lame and makes session hijacking via FireSheep simple, as well as credential sniffing on the wire and wireless.

How Geeky can Geeknet be if they can't even handle session management appropriately?

The password change page and login pages should be protected by HTTPS. Then session cookies appropriate for general content, or privileged content (like changing account information) should be set where privileged content always runs over HTTPS.

Slashdot Top Deals

Never buy what you do not want because it is cheap; it will be dear to you. -- Thomas Jefferson

Working...