On 11/9/05 11:05 AM, Tony Di Croce wrote:
If the shopping cart on site A submits to the secure CC processing page on
site B, then the contextual data that describes the order (price, order
number) was actually communicated from A to B via a hop at the users browser
(likely via a hidden form field
Ben Ramsey wrote:
B is a secure page, with a CC info form that when submitted will
process their card, charging the amount of money passed in the
encrypted packet, and if the charge succeeds, redirecting back to A. A
would probably need to send an order number to B, and B could pass
that back
Hmm.. Almost.
If the shopping cart on site A submits to the secure CC processing page on
site B, then the contextual data that describes the order (price, order
number) was actually communicated from A to B via a hop at the users browser
(likely via a hidden form field on site A). Thus it would ne
I'm posting this back to the list to keep the conversation there. I hope
you don't mind. My comments are at the bottom . . .
On 11/9/05 10:10 AM, Tony Di Croce wrote:
The reason I even wanted to do this had more to do with sharing some
data between two sites, and less with really maintaining a
On 11/8/05 11:52 PM, Chris Shiflett wrote:
When I've provided this feature in the past, I've always taken advantage
of launch and landing pages - e.g., users could only get to the other
domain and still be logged in if they clicked a link from my
application, and those links all go through a la
Ben Ramsey wrote:
To me, it's not a question of whether the sites are physically
located on the same machine, and it's not a question of
encrypting the session id. Anyone who even knows the encrypted
session id could then POST it to the form in a replay attack,
authenticating themselves as the in
On Tue, Nov 08, 2005 at 11:32:33PM -0500, Ben Ramsey wrote:
> On 11/8/05 10:27 PM, Tony Di Croce wrote:
> >
> >The sites are both physically located on the same machine.
> >
> >What if I encrypt the session_id, and put it in a "hidden" text input
> >box in a form, that is delivered via POST to the
On 11/8/05 10:27 PM, Tony Di Croce wrote:
The sites are both physically located on the same machine.
What if I encrypt the session_id, and put it in a "hidden" text input
box in a form, that is delivered via POST to the other site. This way,
the session id is passed, but it is encrypted?
To
On 11/8/05 9:32 PM, Richard Lynch wrote:
Call me crazy, but the session_id is already going in/out through
Cookie headers.
So, really, it's not THAT much less secure for it to go in POST, and
only nominally less secure to go in GET, is it?...
Okay, you're crazy. ;-) j/k [Hey, Richard!]
Yeah,
On Tue, November 8, 2005 7:32 pm, Ben Ramsey wrote:
> I think the approach here will need to err on the site of caution. You
> don't want to pass the session identifier through the URL (or POST)
> too
> much because it risks exposure and the possibility for session
> hijacking, though it should be
10 matches
Mail list logo
