[prev in list] [next in list] [prev in thread] [next in thread]
List: webappsec
Subject: Re: Encrypted URL
From: gcb33 () dial ! pipex ! com
Date: 2004-01-31 7:48:18
Message-ID: 1075535298.401b5dc246bb3 () netmail ! pipex ! net
[Download RAW message or body]
Encrypting URL adds another layer of security to web apps, we use it in banking
applications , as the application uses URL rewrites it was easy to add on top.
The entire URL is encryped, with a random key for each page requested. We don't
use GET as it is all POST's Data submitted by the user.
This solves:-
Retry sessions: If the use was able to copy a past a previous URL into another
browser will not work the key has been lost and the session will be killed
automatically. Back button same again or Ctrl-N refresh. Second it stops alot
of process flow jumping within the site ie. in Brokeage Buy, Order , Sell, and
the same with Corporate banking systems.
It also hides the path that pages are on all you see is one long encrypted URL,
and makes it harder for the person to guess what Application server you are
running on with.
We have two keys in this approach. One key is used to do the URL Rewrites seed
from the web server themselves. Another key is created randonmly per page for
each user request which is mapped into the session state database on
application server,
Please note this approach we can turn on or off for testing to make sure that
the application server can still handle the session state of the user within
the site without relying on the 2nd key.
James
--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic