[Seaside] Advice on writing secure webapps from a scarred friend
Avi Bryant
seaside@lists.squeakfoundation.org
Mon, 29 Jul 2002 17:22:30 -0700 (PDT)
On Mon, 29 Jul 2002, Tim Rowledge wrote:
> Ideas on preventing such problems welcomed. I imagine it must be
> possible to make a socket refuse to accept vast amounts of data, though
> how do you decide what is vast? What can be done to 'protect' session
> numbers?
- Use HTTP basic authentication (look for an earlier thread of yours about
auth ;-) so that the attacker has to be on the same machine and browser
session as the real user (problem: no way to log out except for quitting
the browser).
- Encode the IP address of the client into the session key (not so useful
when a LAN is all sharing one IP). Again, the attacker would have to be
on the same machine. Combine with quickly expiring sessions.
What exactly was the attack your friend demonstrated?