Web Security: The Worst Situation

Question

Web Security: The Worst Situation

Currently, I have created a system that checks the user's IP address, browser, and arbitrary string cookie to determine if he is an administrator.

In the worst case scenario, someone steals my cookie, uses the same browser as me, and disguises their IP address as mine. Is there another level of security that I have to add to my script in order to make it more secure?

EDIT: To clarify: my site does not accept absolutely no data from users. I am simply developing an admin control panel to make it easier to update records in the database.

+3

python security

Yongho Apr 19 '10 at 19:49

source share

4 answers

- HTTPS.

HTTPS:

Man-in-the-middle ,

, (1) . , , , , .., , -.

, , (2), .

, .

+4

Will 19 . '10 19:53

Https , , 100% . - - , .

+1

mikerobi 19 . '10 20:10

One thing that I missed, besides all that is mentioned, is fixing "all other security issues."

If you have SQL injection, you are making efforts regarding cookies, it is a waste of time.
If you have XSRF vuln, you are making efforts regarding cookies, it is a waste of time.
If you have XSS, ....
If you have HPP, ...
If you have....,....

Did you understand.

If you really want to cover everything, I suggest you clear the landscape of vulnerability and build an attack tree (Bruce Schneier).

+1

Henri Apr 19 '10 at 20:45

source share

rook · Accepted Answer · 2010-04-19T20:26:45+0000

- . secuirty, . xss , " ".

ip- "" XSS + XHR XSRF. , . , , IP-.

HTTPS - must . HTTP. " " The OWASP Top 10 2010 , , .

. , , .

. , nonce . , , .

, XSS XSRF. , , . , , xss wapiti . , XSRF, , .

Web Security: The Worst Situation

More articles: