Question: are the HTTP requests (with CGI fields and values, including session_id) encrypted when using https?
Everything you send or receive via https is encryted.This even includes the HTTP headers, which is why name-based virtual hosting does not work with https.
Cookies are a bit more insecure because they are stored on the client machine in uncrypted format.Okay.
Yes, but since you only store a session ID (at least this is what you should do) which is a random number that also expires after some time,
that is not such a big problem.Also, session cookies are usually not stored on disk in the client machine, but just in the browser's memory and go away if you close the browser.
Depending on how paranoid you are you can also set the "secure connection" flag on the cookie, so the cookie will only be send via encrypted connections.
Cheers, Thilo PS:
I suspected as much. The only solution I could think of was digital signatures on both the client and the server.
Well, the real high-end solution would be to use SSL client authentication.
This is a feature of SSL, that you can use when connecting via https.I have no idea how to do that in Perl, but if you find a way you can retrieve the client SSL certificate and verify his identity that way. The advantage is that you do not need any other authentication mechanisms (no passwords, single sign-on). The drawback is that you need a full-fledged public key infrastructure, including client certificates for ALL your users.
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.