I'm teaching myself a touch of the most basic information security while toying with web dev, so that I can get a better understanding of the whole picture.
Let's assume my website has user accounts that have nonzero personal information stored in them.
Is it ever appropriate to store session IDs associated with this connection over HTTP?
I ask beacuse I was looking through my own cookies and I see some of the ones under "google.com" are marked as "send over any connection"-- am I correct in assuming that these session IDs are not in any way linked to personal information that an attacker / sniffer could obtain or abuse?
Aucun commentaire:
Enregistrer un commentaire