[Seaside] Session (in)security?

Boris Popov boris at deepcovelabs.com
Fri Jun 16 05:37:25 UTC 2006

Right, so we are talking about the same thing then. Since not a whole lot of modern web apps rely on http auth, wouldn't it make sense to make a cookie setting 'true' by default? That's all I was asking for as a newbie seaside user who walked right into the trap by having such an obvious flaw pointed out to him by one of his peers purely by accident. Its not the kind of mistake I will make again, but I'm just trying to look out for those who follow :) That, and the WASessionProtector should at least be more obvious, but I'm afraid this'll become a documentation discussion in a blink of an eye.
Thanks for the feedback everyone,

DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5

boris at deepcovelabs.com


This email is intended only for the persons named in the message
header. Unless otherwise indicated, it contains information that is
private and confidential. If you have received it in error, please
notify the sender and delete the entire message including any

Thank you.


From: seaside-bounces at lists.squeakfoundation.org on behalf of Colin Putney
Sent: Thu 15/06/2006 5:21 PM
To: The Squeak Enterprise Aubergines Server - general discussion.
Subject: Re: [Seaside] Session (in)security?

On Jun 15, 2006, at 4:37 PM, Boris Popov wrote:

> Oh I didn't say there was anything wrong with that, it just seemed 
> weird
> that one could copy the url from one machine to the other and pick 
> up an
> exact same session. By the way, password was just an example, not 
> related to
> the session key issue. Obviously our app is password protected as 
> well, but
> with url copying, all you need is a url of a logged-in user and 
> you're good
> to go whereas with a cookie you have to try much harder. I settled on
> basically using both cookie setting and WASessionProtector, but was 
> just
> wondering if cookie setting shouldn't be on by default for ignorant 
> seaside
> beginners like myself, that's all :)

I guess I should have been more precise. If you use HTTP 
authentication, then you'd need both a session key *and* a valid 
login and password. If you only require login to start a session, 
then yeah, a session key is enough to hijack the session.

Seaside mailing list
Seaside at lists.squeakfoundation.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20060615/c5580d97/attachment.htm

More information about the Seaside mailing list