[Seaside-dev] RE: Rekeying Sessions

Boris Popov boris at deepcovelabs.com
Tue Mar 17 23:24:01 UTC 2009 

It looks like the following is needed when using cookies,

rekey
 self application changeKeyForHandler: self.
 self useSessionCookie ifTrue: [self redirectWithCookie: self
sessionCookie].

-Boris

-- 
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

boris at deepcovelabs.com

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.

Thank you.
-----Original Message-----
From: Boris Popov 
Sent: Tuesday, March 17, 2009 3:18 PM
To: 'seaside-dev at lists.squeakfoundation.org'
Subject: Rekeying Sessions

Hey,
 
Our auditors had recently completed comprehensive penetration testing of
our Seaside-based applications and one of the medium-priority
recommendations they had was to issue different session id after login
(see attached comments). It later became "low priority" when we
demonstrated that attacker's source IP needed to match because we used
session protector.

Here's a snippet for 2.8 that appears to do the trick (not very well
tested yet), but I thought this might be worth including in base for
2.9? 
 
WASession>>rekey
 self application changeKeyForHandler: self.
 
WARegistry>>changeKeyForHandler: anObject
 self mutex
  critical:
   [(keysByHandler at: anObject ifAbsent: [nil])
    ifNotNil:
     [:key | 
     keysByHandler removeKey: anObject.
     handlersByKey removeKey: key]].
 ^self ensureKeyForHandler: anObject.

This all comes together in a task,

LoginTask>>go
 login := Login new.
 [self login] whileFalse.
 self session rekey.
 self call: menu.

Hope this helps,

-Boris

--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

boris at deepcovelabs.com

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.

Thank you.

More information about the seaside-dev mailing list