[Seaside-dev] RE: Rekeying Sessions
Philippe Marschall
philippe.marschall at gmail.com
Thu Mar 19 06:40:13 UTC 2009
2009/3/18 Boris Popov <boris at deepcovelabs.com>:
> Yes, there are two ways why they say it's a risk,
>
> - people tend to copy-paste URLs from address bar when they want to share them with other folks for legitimate reasons; when done within an office behind a common firewall, session protector won't stop users from unintentionally accessing each other's sessions in this scenario
>
> - a more sinister angle is someone simply looking over user's shoulder and typing the same address in their browser; again, if done within the same internet café then attacker won't be stopped by a session protector
And retyping the session and continuation key? Yeah right, I can
totally see that happening, "Uhm, excuse me for a second, could you
move your head away for a second? I can not see whether that is a I or
l in your session key there."
Philippe
More information about the seaside-dev
mailing list