[Seaside] Session (in)security?

[Bert Freudenberg]

Am 16.06.2006 um 07:37 schrieb Boris Popov:

> Right, so we are talking about the same thing then. Since not a  
> whole lot of modern web apps rely on http auth, wouldn't it make  
> sense to make a cookie setting 'true' by default? That's all I was  
> asking for as a newbie seaside user who walked right into the trap  
> by having such an obvious flaw pointed out to him by one of his  
> peers purely by accident. Its not the kind of mistake I will make  
> again, but I'm just trying to look out for those who follow :)  
> That, and the WASessionProtector should at least be more obvious,  
> but I'm afraid this'll become a documentation discussion in a blink  
> of an eye.

Security by obscurity is far more dangerous. It's as easy to snoop a  
cookie as a URL, both are plain text going over the wire. IP spoofing  
is harder, but readily available to an attacker, so restrictring the  
IP is not only not a good security measure, it's preventing valid  
access, too (my DSL router reconnects regularily, it gets a different  
IP address each time, poof, session lost).

Anyone starting with Seaside rightfully wonders about those funny  
URLs, and if it is explained thoroughly what these mean, the security  
implications are obvious. If the inner workings are hidden by cookies  
then it becomes much more magical, and people would assume that the  
framework will magically do everything for them.

- Bert -