[Seaside-dev] RE: Rekeying Sessions
Boris Popov
boris at deepcovelabs.com
Wed Mar 18 22:54:58 UTC 2009
True enough, although that assumes higher sophistication and in our specific case we don't store access logs, so it didn't come up.
-Boris
--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4
boris at deepcovelabs.com
CONFIDENTIALITY NOTICE
This email is intended only for the persons named in the message header. Unless otherwise indicated, it contains information that is private and confidential. If you have received it in error, please notify the sender and delete the entire message including any attachments.
Thank you.
-----Original Message-----
From: seaside-dev-bounces at lists.squeakfoundation.org [mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of Adrian Lienhard
Sent: Wednesday, March 18, 2009 3:50 PM
To: Seaside - developer list
Subject: Re: [Seaside-dev] RE: Rekeying Sessions
I haven't followed this discussion closely, but hijacking a session from a referrer log is another thread if the session key is stored in the URL.
Adrian
On Mar 18, 2009, at 23:32 , Boris Popov wrote:
> Yes, there are two ways why they say it's a risk,
>
> - people tend to copy-paste URLs from address bar when they want to
> share them with other folks for legitimate reasons; when done within
> an office behind a common firewall, session protector won't stop users
> from unintentionally accessing each other's sessions in this scenario
>
> - a more sinister angle is someone simply looking over user's shoulder
> and typing the same address in their browser; again, if done within
> the same internet café then attacker won't be stopped by a session
> protector
>
> Cookie addresses both scenarios by hiding session key from the user.
>
> Cheers!
>
> -Boris
>
> --
> +1.604.689.0322
> DeepCove Labs Ltd.
> 4th floor 595 Howe Street
> Vancouver, Canada V6C 2T5
> http://tinyurl.com/r7uw4
>
> boris at deepcovelabs.com
>
> CONFIDENTIALITY NOTICE
>
> This email is intended only for the persons named in the message
> header. Unless otherwise indicated, it contains information that is
> private and confidential. If you have received it in error, please
> notify the sender and delete the entire message including any
> attachments.
>
> Thank you.
> -----Original Message-----
> From: seaside-dev-bounces at lists.squeakfoundation.org
> [mailto:seaside-dev-bounces at lists.squeakfoundation.org
> ] On Behalf Of Julian Fitzell
> Sent: Wednesday, March 18, 2009 3:09 PM
> To: Seaside - developer list
> Subject: Re: [Seaside-dev] RE: Rekeying Sessions
>
> On Wed, Mar 18, 2009 at 10:52 PM, Philippe Marschall
> <philippe.marschall at gmail.com
> > wrote:
>> 2009/3/18 Boris Popov <boris at deepcovelabs.com>:
>>> Julian,
>>>
>>> Most certainly, there's really nothing in there that isn't generally
>>> known to Seaside folks already. There really were only 3.5 issues
>>> raised,
>>>
>>> 1. Session ID Stored in URL (Medium)
>>
>> I don't agree with this one. I don't see why additionally writing the
>> session id to disk (that's what browsers do) adds any security. You
>> still transmit it with every request, just in a different part of the
>> HTTP header.
>
> Presumably the issue they were concerned about is people passing URLs
> around, no?
>
> Julian
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
_______________________________________________
seaside-dev mailing list
seaside-dev at lists.squeakfoundation.org
http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
More information about the seaside-dev
mailing list