Avoid session hijacking in site with http

Question

as I know the only way to avoid session hijacking in https ,but some times we don't want to use it. so I think about alternative way for it.

I explain my way,can it be possible or is it good way?

think we have third part server ( I called it Padra ) ,which give you API to check session and cookies,you will call Padra jt file in your web site views ( session and cookies saved by Padra domain name and you don't have direct access to it,but padra use SSL),then you can check the session and cookies value in server side by calling Padra API.

what do you think about it?

Sounds like a lot of work to not just https. – Leeish Mar 01 '13 at 22:27 — Leeish, Mar 01 '13 at 22:27

score 0 · Answer 1 · answered Mar 01 '13 at 22:38

I don't think its a particularly good trade-off.

Issues:

You've decreased the confidence users have in your site (even if you have a secure implementation, it wont have the padlock/green bar/etc)
Your users now have an additional asset to download, parse, run and so slows their experience
If third-party cookies are disabled it doesn't work at all
You've added additional complexity throughout, and now also have an additional external dependency on your backend you have to manage

Arun · Answer 2 · 2013-03-27T05:20:09.897

0

HTTP-ONLY header helps prevent common session hijacking and XSS vulnerabilities . Instead of going through so much trouble u can try using this .

edited Mar 27 '13 at 05:20

answered Mar 26 '13 at 14:33

Arun

584
1
6
19

Avoid session hijacking in site with http

2 Answers2