Is it possible at all to secure an unencrypted website?

Discussion in 'ASP .Net Security' started by LenaMsdn08, Feb 7, 2009.

  1. LenaMsdn08

    LenaMsdn08 Guest

    We recently had this discussion at work - someone had suggested implementing
    single sign-on by passing a random 32-byte key in the query string and match
    it against a database that is used by both applications. Both sites are
    written in ASP.NET 1.1

    It was pointed out that passing this key in the query string was a huge
    security hole; anyone who intercepted the request on the Internet could then
    use the key to log in.

    On the other hand, wouldn't any unencrypted (using http, not https) website
    be vulnerable pretty much no matter what you do? For example, even if the
    session object is server-side, isn't the cookie that stores the session ID
    passed in the HTTP request, so just as well as intercepting the query string,
    couldn't someone intercept the cookie and hijack the session?

    (My apologies for the lack of correct terminology in this post.)
    LenaMsdn08, Feb 7, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,438
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    554
    Daniel Malcolm
    Jan 24, 2005
  3. mtanner
    Replies:
    2
    Views:
    509
    Joerg Jooss
    Nov 10, 2005
  4. Mufasa
    Replies:
    0
    Views:
    819
    Mufasa
    Jun 10, 2007
  5. LenaMsdn08

    Is it possible at all to secure an unencrypted website?

    LenaMsdn08, Feb 7, 2009, in forum: ASP .Net Security
    Replies:
    6
    Views:
    742
    Allen Chen [MSFT]
    Feb 13, 2009
Loading...

Share This Page