I have read a number of different tutorials that talk about adding a
login page to an application that all contain very similar wording:
“Of course, you would log in over an SSL connection”. And I
understand the theory of HTTP and the theory of packet sniffing well
enough to know that, if I type in a password on a form, and that form
gets sent unencryptedly to a server, then anybody with a packet
sniffer could peek at that form as it goes whizzing by and look at the
password. And I understand human nature enough to know that if
something like that could be done, then there are people out there
who delight in doing things like that.
OK, enough long winded babbling introduction. The tutorials I’ve read
about logging into an application all store the user ID in the
session. I presume that the “session” is a conceptual framework
wrapped around a cookie. Here is where my knowledge of the theory of
HTTP runs out. So I start to assume things. One thing that I assume
is that, when a server places a cookie in a client’s browser, there
must be something inherent in the protocol that would allow the server
to retrieve that cookie.
Now I start to wonder how secure sessions are? If only the login page
is encrypted, what is to prevent somebody from sniffing the
unencrypted cookie request and response as they go whizzing by to
fetch later pages? Is there a provision for encrypted cookies? Do
the client and the server share a secret when the cookie is first
placed on the client (via the encrypted link) that is used to prevent
the cookie from being used by a malicious party?
I’m just curious about this, and, because I’m curious, and because I
am really supposed to be writing an annual report, I thought this
would be a good time to ask the experts about this burning issue.