[Seaside] Session (in)security?
Colin Putney
cputney at wiresong.ca
Fri Jun 16 00:21:43 UTC 2006
On Jun 15, 2006, at 4:37 PM, Boris Popov wrote:
> Oh I didn't say there was anything wrong with that, it just seemed
> weird
> that one could copy the url from one machine to the other and pick
> up an
> exact same session. By the way, password was just an example, not
> related to
> the session key issue. Obviously our app is password protected as
> well, but
> with url copying, all you need is a url of a logged-in user and
> you're good
> to go whereas with a cookie you have to try much harder. I settled on
> basically using both cookie setting and WASessionProtector, but was
> just
> wondering if cookie setting shouldn't be on by default for ignorant
> seaside
> beginners like myself, that's all :)
I guess I should have been more precise. If you use HTTP
authentication, then you'd need both a session key *and* a valid
login and password. If you only require login to start a session,
then yeah, a session key is enough to hijack the session.
Colin
More information about the Seaside
mailing list