[thelist] Security when managing online sessions

Chris Blessing webguy at mail.rit.edu
Tue Dec 4 17:15:10 CST 2001


I'm currently working on my company's new website which includes a section
where users can register/login/change account info/etc.  I plan on doing all
user account interaction (i.e. account changes, registrations, purchases,
etc.) on an SSL layer on our server.  My question is this: since this is
128-bit encrypted, can I carelessly throw information like usernames and
passwords across the net and into session vars (cookies) without worrying
about security issues?  The only way this could go wrong I suppose is if
someone 1) hacks into our db server (SQL Server 7.0), or 2) obtains the
session cookie from the user's machine while their session is active.

What do you think?  I'm using ASP if you're curious.  TIA.

Chris Blessing
webguy at mail.rit.edu
http://www.330i.net





More information about the thelist mailing list