J
jehugaleahsa
What type of security measures does, say, a database management
systems take in order to prevent a person from retransmitting logon
information that was captured from a sniffer?
There must be some way to prevent this from happening. I mean, anyone
could capture the data sent back and forth between a client and server
and just resend the exact same information in order to duplicate the
transaction, regardless of encryption.
I mean, connecting to a database is nothing more than bits being sent
over a network. The database processes those bits and simply creates a
session for that connection information. What prevents someone from
duplicating those bits and creating their own session?
Am I making myself clear?
I am asking because I know a lot of people who have resolved some of
their authentication issues by creating web services that return a
GUID once a user is authenticated. The GUID is kept alive in a
session, typically. When a request is sent to the web service, the
GUID is used to verify that the user is logged in. However, if this
GUID is passed over the network, couldn't anyone capture it and
immitate the session?
I guess that brings up another good question: where are session values
stored? I thought that they were implemented with cookies, which are
stored on the client. However, I am given the impression that they are
stored on the server. Just some confusion.
Is there are way to prevent someone from taking your credentials,
encrypted or not, and resending them to the server? I mean, private /
public key pairs even seem worthless because the public key can be
captured and they really don't really prevent the database from
interpretting the bits. Perhaps the trick is that the database
encrypts the response given the client's public key, thus making it
impossible for you to interpret the response.
But, in the case of the GUID, if that is all that is needed to delete
a record, then that is nothing to entrust.
I hope I am making sense.
Thanks,
Travis
systems take in order to prevent a person from retransmitting logon
information that was captured from a sniffer?
There must be some way to prevent this from happening. I mean, anyone
could capture the data sent back and forth between a client and server
and just resend the exact same information in order to duplicate the
transaction, regardless of encryption.
I mean, connecting to a database is nothing more than bits being sent
over a network. The database processes those bits and simply creates a
session for that connection information. What prevents someone from
duplicating those bits and creating their own session?
Am I making myself clear?
I am asking because I know a lot of people who have resolved some of
their authentication issues by creating web services that return a
GUID once a user is authenticated. The GUID is kept alive in a
session, typically. When a request is sent to the web service, the
GUID is used to verify that the user is logged in. However, if this
GUID is passed over the network, couldn't anyone capture it and
immitate the session?
I guess that brings up another good question: where are session values
stored? I thought that they were implemented with cookies, which are
stored on the client. However, I am given the impression that they are
stored on the server. Just some confusion.
Is there are way to prevent someone from taking your credentials,
encrypted or not, and resending them to the server? I mean, private /
public key pairs even seem worthless because the public key can be
captured and they really don't really prevent the database from
interpretting the bits. Perhaps the trick is that the database
encrypts the response given the client's public key, thus making it
impossible for you to interpret the response.
But, in the case of the GUID, if that is all that is needed to delete
a record, then that is nothing to entrust.
I hope I am making sense.
Thanks,
Travis