[Seaside-dev] RE: Rekeying Sessions
Philippe Marschall
philippe.marschall at gmail.com
Thu Mar 19 06:40:48 UTC 2009
That's what the session protector is for.
2009/3/18 Adrian Lienhard <adi at netstyle.ch>:
> I haven't followed this discussion closely, but hijacking a session from a
> referrer log is another thread if the session key is stored in the URL.
>
> Adrian
>
> On Mar 18, 2009, at 23:32 , Boris Popov wrote:
>
>> Yes, there are two ways why they say it's a risk,
>>
>> - people tend to copy-paste URLs from address bar when they want to share
>> them with other folks for legitimate reasons; when done within an office
>> behind a common firewall, session protector won't stop users from
>> unintentionally accessing each other's sessions in this scenario
>>
>> - a more sinister angle is someone simply looking over user's shoulder and
>> typing the same address in their browser; again, if done within the same
>> internet café then attacker won't be stopped by a session protector
>>
>> Cookie addresses both scenarios by hiding session key from the user.
>>
>> Cheers!
>>
>> -Boris
>>
>> --
>> +1.604.689.0322
>> DeepCove Labs Ltd.
>> 4th floor 595 Howe Street
>> Vancouver, Canada V6C 2T5
>> http://tinyurl.com/r7uw4
>>
>> boris at deepcovelabs.com
>>
>> CONFIDENTIALITY NOTICE
>>
>> This email is intended only for the persons named in the message header.
>> Unless otherwise indicated, it contains information that is private and
>> confidential. If you have received it in error, please notify the sender and
>> delete the entire message including any attachments.
>>
>> Thank you.
>> -----Original Message-----
>> From: seaside-dev-bounces at lists.squeakfoundation.org
>> [mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of Julian
>> Fitzell
>> Sent: Wednesday, March 18, 2009 3:09 PM
>> To: Seaside - developer list
>> Subject: Re: [Seaside-dev] RE: Rekeying Sessions
>>
>> On Wed, Mar 18, 2009 at 10:52 PM, Philippe Marschall
>> <philippe.marschall at gmail.com> wrote:
>>>
>>> 2009/3/18 Boris Popov <boris at deepcovelabs.com>:
>>>>
>>>> Julian,
>>>>
>>>> Most certainly, there's really nothing in there that isn't generally
>>>> known to Seaside folks already. There really were only 3.5 issues
>>>> raised,
>>>>
>>>> 1. Session ID Stored in URL (Medium)
>>>
>>> I don't agree with this one. I don't see why additionally writing the
>>> session id to disk (that's what browsers do) adds any security. You
>>> still transmit it with every request, just in a different part of the
>>> HTTP header.
>>
>> Presumably the issue they were concerned about is people passing URLs
>> around, no?
>>
>> Julian
>> _______________________________________________
>> seaside-dev mailing list
>> seaside-dev at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>> _______________________________________________
>> seaside-dev mailing list
>> seaside-dev at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>
More information about the seaside-dev
mailing list