security - Harm of passing session id as url parameter -

-

so noticed 1 of internet banks websites passing session id url parameter. ( see image below )

enter image description here

i didn't see anywhere ';' in url, in case after 'private;'.

1) use of ';'?

2) , why internet bank, needs securest place in internet passing session id url parameter?

at first, thought doing because of users disallow use of cookies, again, if allow it, use cookies, if not - url, allow use of cookies, thats not case.

3) guess should have other security measures? be?

4) , 1 can possibly if knows others valid session id? know, can quite log others peoples session if know id, because not hard edit cookies , easier pass session id url parameter, if have like:

session_id($_get[sessionid]);

thanks!

1) should ask whoever designed application red box covering. url can want; convention of key=value&key2=value2 - convention. in case, it's java, , commonly uses convention of ;jsessionid=.... sid.

2) it's not that big of deal. normal users can't copy-paste cookies can copy-paste parameter, power users can whatever want (using mechanize, wget, curl , other non-browser means, or browser extensions). , if allow users , disallow some, it's not of security precaution, it? basically, cookie sid make attack bit harder, it's putting front door key under mat - doesn't keep door secure. additionally, cookies shared between tabs: if site wants logged in 2 accounts @ once, can't cookies.

3) serverside security, yes. 1 effective countermeasure one-time sids (each time visit page, server reads session current sid, starts new session new sid next request). less effective still method validate other information consistency (e.g. - still same ip? still same browser?)

4) yes, if know someone's valid sid, , server not adequately protect against session fixation, can "become" person. might enable attacker to, say, pay bills money, instance.


Comments

Post a Comment

Popular posts from this blog

java - Plugin org.apache.maven.plugins:maven-install-plugin:2.4 or one of its dependencies could not be resolved -

-
i getting error message , further 1 here: failed read artifact descriptor org.apache.maven.plugins:maven-install-plugin:jar:2.4: even though when go .m2 repository path c:\users\a591024.m2\repository\org\apache\maven\plugins\maven-resources-plugin\2.4 the maven-resources-plugin-2.4.jar file there , maven-resources-plugin-2.4.pom there. have tried delete .m2 repository no luck. far maven not build project desperately need to. any ideas? it seems proxy issue please aad following in setting.xml grabbing lan setting , proxy information. <proxies> <proxy> <id>proxy</id> <active>true</active> <protocol>http</protocol> <host>hostname</host> <port>port</port> </proxy> </proxies> this frequent issue, please see below link well. plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or 1 of dependencies not resolved maven: failed ret
Read more

Round ImageView Android -

-
Image
i working on android application in doing rounded image view. working fine images, images 160x120 resolution shows oval shaped. code custom imageview given below, please me out here: public class roundimage extends drawable { private final bitmap mbitmap; private final paint mpaint; private final rectf mrectf; private final int mbitmapwidth; private final int mbitmapheight; public roundimage(bitmap bitmap) { mbitmap = bitmap; mrectf = new rectf(); mpaint = new paint(); mpaint.setantialias(true); mpaint.setdither(true); final bitmapshader shader = new bitmapshader(bitmap, shader.tilemode.clamp, shader.tilemode.clamp); mpaint.setshader(shader); mbitmapwidth = mbitmap.getwidth(); mbitmapheight = mbitmap.getheight(); } @override public void draw(canvas canvas) { canvas.drawoval(mrectf, mpaint); } @override protected void onboundschange(rect bound
Read more

How can I utilize Yahoo Weather API in android -

-
Image
i want develop app using yahoo weather api android. want current , forecast weather details. i have tried different sources (e.g.: https://github.com/survivingwithandroid/weatherlib , getting error weatherlib api android , unable execute activity in android weatherlib ) , getting different errors m unable resplve. there can proper tutorial or guide! error: -17 08:50:48.961 3168-3168/com.survivingwithandroid.weather e/androidruntime﹕ fatal exception: main process: com.survivingwithandroid.weather, pid: 3168 java.lang.runtimeexception: unable start activity componentinfo{com.survivingwithandroid.weather/com.survivingwithandroid.weather.mainactivity}: java.lang.nullpointerexception: attempt invoke interface method 'boolean java.util.list.isempty()' on null object reference @ android.app.activitythread.performlaunchactivity(activitythread.java:2298) @ android.app.activitythread.handlelaunchactivity(activitythread.java:2360) @ android.app.activi
Read more