Most web applications or websites require a user to interact with it multiple times to complete a business transaction. For example, when a user shops in Amazon or Flipkart, the user will select one item at a time by clicking on buttons or hyperlinks and filling some text fields to specify the payment details. The server will process this data and may show another page.
A sequence of related HTTP requests between a web browser and a web application for accomplishing a single business transaction is called a session. All data specified by the user in a session is known as session data. Generally the session data is private and must be protected from other users. A session generally begins when a user visits a web site for the first time and ends when the user closes the browser. Since the HTTP protocol has no memory, web applications have to use special mechanisms to securely maintain the user session data.
Cookies
Cookies are small text files which contain data stored in name, value pairs. A web application can generate multiple cookies, set their life span (for how much time the cookie must be alive) and send them back to the web browser as part of the response. If cookies are allowed, the web browser stores the cookies on its hosting computer. When an HTTP request is sent from a web browser from a computer for the second time, the cookies are also sent as a part of the request.
Cookies are the simplest approach to maintain session data as the web server doesn’t need to commit any resources for storing the session data. This is the most scalable approach to store session data for a large number of users. The downfall of cookie is, it is not secure. As the cookies are stored on the client’s computer, they might be accessed by another third party. Also when the cookies are being sent between the web application and web browser a hacker might eavesdrop for the session data (stored in cookie) along the path.
Hidden Fields
Some web users who are concerned with the security implications of a cookie will disable the cookies in their browser. In such cases, another way to store session data is by using hidden fields. A hidden field is a part of HTML form. As the name implies, a hidden field (input element whose type is set to hidden) and its data is not visible to a user. The server will process the session data which will be available in the hidden fields. A hidden field can store only one value at a time. Both cookies and hidden fields are used in situations where only limited amount of data is to be stored.
Query String
A query string is a collection of name and value pair data items which are attached at the end of a URL. Sometimes query strings can also be used to maintain session data but only very limited amount of data can be maintained. As the data in the query string is visible to the user, this approach is very less suitable for storing secure session data.
Server-Side Session Objects
For improving the security of session data and avoiding wasted network bandwidth (like in case of hidden fields) for session data to move back and forth between a web browser and web server, most of the session data can be stored on the server by using session objects. Every session object has a unique session ID for identifying a specific user.
A session object is normally implemented as a hash table (lookup table) consisting of name, value pairs. To store the session ID, a cookie or a hidden field or a query string can be used. Since this approach stores the session data on the server, it consumes most of the server resources (memory and processor) and is relatively harder to serve large number of clients concurrently.
Security in the web relate to protecting your sensitive data (like passwords, credit card numbers, PINs etc) from being accessed or manipulated by the people whom you think are not deemed to do so. Most of the security concerns arise due to the vulnerabilities in the Internet and related technologies. To understand what are the security issues, consider an example of a transaction where you send your username and password to login to a website. Security issues for this transaction are as follows:
Privacy – It should not be possible for a third-party to steal your data while it is being sent to a server.
Integrity – It should not be possible for a third-party to modify your data before reaching the server.
Authentication – Both sides of the communication should be able to identify each other’s identity.
Non-repudiation – Both sides must be able to prove legally that the message was sent and received.
First two issues, privacy and integrity can be supported by using encryption which is way to convert human readable information to non-human readable. There are several algorithms widely available for encryption among which the popular ones are RSA, DES, AES and Triple DES.
There is another dimension which raises various problems regarding the security of the data. It is through malicious programs. Hackers (people with evil thinking) create malicious programs known as viruses, worms, time bombs and others.
A virus is a malicious program which is transmitted through attachments of an e-mail or as a part of a software download that when executed on the victim’s computer, attaches itself with the other programs and makes them unusable or deletes data available in the memory or hard disk. A worm, unlike a virus, has the ability of self propagation. Viruses and worms allows an attacker to gain control of the victim’s computer which in turn are used as a part of attacks known as DoS (Denial of Service) attacks.
No comments:
Post a Comment