[Seaside-dev] RE: Rekeying Sessions
Sebastian Sastre
ssastre at seaswork.com
Wed Mar 18 10:02:30 UTC 2009
+1, would be great for this segment of the industry ;)
sebastian
> -----Mensaje original-----
> De: seaside-dev-bounces at lists.squeakfoundation.org
> [mailto:seaside-dev-bounces at lists.squeakfoundation.org] En
> nombre de Julian Fitzell
> Enviado el: Wednesday, March 18, 2009 05:51
> Para: Seaside - developer list
> Asunto: Re: [Seaside-dev] RE: Rekeying Sessions
>
> Hi Boris,
>
> Thanks for the suggestion. I filed
> http://code.google.com/p/seaside/issues/detail?id=368 for this. There
> a handful of security-related feature requests relating to sessions
> and cookies in there at the moment.
>
> I understand you might not want to share details, particularly before
> you have addressed the issues, but I'm sure we would all be interested
> to hear, even in general terms, what other kinds of issues were raised
> in your audit. So if at any point you feel you are able to share more
> (even off-list if need be) that would be very interesting.
>
> Cheers,
>
> Julian
>
> On Wed, Mar 18, 2009 at 12:24 AM, Boris Popov
> <boris at deepcovelabs.com> wrote:
> > It looks like the following is needed when using cookies,
> >
> > rekey
> > self application changeKeyForHandler: self.
> > self useSessionCookie ifTrue: [self redirectWithCookie: self
> > sessionCookie].
> >
> > -Boris
> >
> > --
> > +1.604.689.0322
> > DeepCove Labs Ltd.
> > 4th floor 595 Howe Street
> > Vancouver, Canada V6C 2T5
> > http://tinyurl.com/r7uw4
> >
> > boris at deepcovelabs.com
> >
> > CONFIDENTIALITY NOTICE
> >
> > This email is intended only for the persons named in the
> message header.
> > Unless otherwise indicated, it contains information that is
> private and
> > confidential. If you have received it in error, please
> notify the sender
> > and delete the entire message including any attachments.
> >
> > Thank you.
> > -----Original Message-----
> > From: Boris Popov
> > Sent: Tuesday, March 17, 2009 3:18 PM
> > To: 'seaside-dev at lists.squeakfoundation.org'
> > Subject: Rekeying Sessions
> >
> > Hey,
> >
> > Our auditors had recently completed comprehensive
> penetration testing of
> > our Seaside-based applications and one of the medium-priority
> > recommendations they had was to issue different session id
> after login
> > (see attached comments). It later became "low priority" when we
> > demonstrated that attacker's source IP needed to match
> because we used
> > session protector.
> >
> > Here's a snippet for 2.8 that appears to do the trick (not very well
> > tested yet), but I thought this might be worth including in base for
> > 2.9?
> >
> > WASession>>rekey
> > self application changeKeyForHandler: self.
> >
> > WARegistry>>changeKeyForHandler: anObject
> > self mutex
> > critical:
> > [(keysByHandler at: anObject ifAbsent: [nil])
> > ifNotNil:
> > [:key |
> > keysByHandler removeKey: anObject.
> > handlersByKey removeKey: key]].
> > ^self ensureKeyForHandler: anObject.
> >
> > This all comes together in a task,
> >
> > LoginTask>>go
> > login := Login new.
> > [self login] whileFalse.
> > self session rekey.
> > self call: menu.
> >
> > Hope this helps,
> >
> > -Boris
> >
> > --
> > +1.604.689.0322
> > DeepCove Labs Ltd.
> > 4th floor 595 Howe Street
> > Vancouver, Canada V6C 2T5
> > http://tinyurl.com/r7uw4
> >
> > boris at deepcovelabs.com
> >
> > CONFIDENTIALITY NOTICE
> >
> > This email is intended only for the persons named in the
> message header.
> > Unless otherwise indicated, it contains information that is
> private and
> > confidential. If you have received it in error, please
> notify the sender
> > and delete the entire message including any attachments.
> >
> > Thank you.
> >
> > _______________________________________________
> > seaside-dev mailing list
> > seaside-dev at lists.squeakfoundation.org
> > http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
> >
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
More information about the seaside-dev
mailing list