[Seaside-dev] RE: Rekeying Sessions

Adrian Lienhard adi at netstyle.ch
Wed Mar 18 22:49:58 UTC 2009 

I haven't followed this discussion closely, but hijacking a session  
from a referrer log is another thread if the session key is stored in  
the URL.

Adrian

On Mar 18, 2009, at 23:32 , Boris Popov wrote:

> Yes, there are two ways why they say it's a risk,
>
> - people tend to copy-paste URLs from address bar when they want to  
> share them with other folks for legitimate reasons; when done within  
> an office behind a common firewall, session protector won't stop  
> users from unintentionally accessing each other's sessions in this  
> scenario
>
> - a more sinister angle is someone simply looking over user's  
> shoulder and typing the same address in their browser; again, if  
> done within the same internet café then attacker won't be stopped by  
> a session protector
>
> Cookie addresses both scenarios by hiding session key from the user.
>
> Cheers!
>
> -Boris
>
> -- 
> +1.604.689.0322
> DeepCove Labs Ltd.
> 4th floor 595 Howe Street
> Vancouver, Canada V6C 2T5
> http://tinyurl.com/r7uw4
>
> boris at deepcovelabs.com
>
> CONFIDENTIALITY NOTICE
>
> This email is intended only for the persons named in the message  
> header. Unless otherwise indicated, it contains information that is  
> private and confidential. If you have received it in error, please  
> notify the sender and delete the entire message including any  
> attachments.
>
> Thank you.
> -----Original Message-----
> From: seaside-dev-bounces at lists.squeakfoundation.org [mailto:seaside-dev-bounces at lists.squeakfoundation.org 
> ] On Behalf Of Julian Fitzell
> Sent: Wednesday, March 18, 2009 3:09 PM
> To: Seaside - developer list
> Subject: Re: [Seaside-dev] RE: Rekeying Sessions
>
> On Wed, Mar 18, 2009 at 10:52 PM, Philippe Marschall <philippe.marschall at gmail.com 
> > wrote:
>> 2009/3/18 Boris Popov <boris at deepcovelabs.com>:
>>> Julian,
>>>
>>> Most certainly, there's really nothing in there that isn't generally
>>> known to Seaside folks already. There really were only 3.5 issues
>>> raised,
>>>
>>> 1. Session ID Stored in URL (Medium)
>>
>> I don't agree with this one. I don't see why additionally writing the
>> session id to disk (that's what browsers do) adds any security. You
>> still transmit it with every request, just in a different part of the
>> HTTP header.
>
> Presumably the issue they were concerned about is people passing  
> URLs around, no?
>
> Julian
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev

More information about the seaside-dev mailing list