Random string in URL helpful against "Man in the Middle Attack"?

Question

Here's the scenario:

On every non-shopping-cart page a new md5(rand()) session variable is generated. This variable is then inserted into the url for shopping cart links. Clicking the cart link would be the point at which a user is transferred from http to https so I understand that this is a crucial transaction to secure in order to prevent a man in the middle from injecting himself between the server and the user.

In order to access the shopping cart the current session variable must match the string in the url (eg "/shopping_car_url/{random_string}/"), otherwise a 404 error is sent.

1. Should this be effective as long as the session is not compromised?
2. Would using a POST variable (or the same or different random strings in both session and post) be as or more effective (or ineffective)?
3. If this is effective, is there any benefit to doing the same thing through the rest of the cart editing / checkout process or would this be pointless since the user is already connected to SSL at this point?

Answer 1

What you're trying to protect yourself against here is CSRF (Cross Site Request Forgery) and not MITM.

Once you switch to https a MITM attack is virtually impossible and adding items to a cart typically doesn't require CSRF protection (unlike the payment action itself). Make sure to also read XSS & CSRF: Practical explotation of post-authentication vulnerabilities.

However, if a malicious person manages to position themselves in between the user and your site before you switch to https, they would be able to rewrite your shop links as well, but without using https; it would then be up to your users to be vigilant about the lock icon in the address bar.

Answer 2

Don't bother with it. Keep your URLs simple and straightforward; your customers will be much happier. If you're using SSL correctly, you are protected against the vast majority of transport-layer man-in-the-middle attacks.