[Seaside] Session (in)security?
bert at impara.de
Fri Jun 16 09:16:28 UTC 2006
Am 16.06.2006 um 07:37 schrieb Boris Popov:
> Right, so we are talking about the same thing then. Since not a
> whole lot of modern web apps rely on http auth, wouldn't it make
> sense to make a cookie setting 'true' by default? That's all I was
> asking for as a newbie seaside user who walked right into the trap
> by having such an obvious flaw pointed out to him by one of his
> peers purely by accident. Its not the kind of mistake I will make
> again, but I'm just trying to look out for those who follow :)
> That, and the WASessionProtector should at least be more obvious,
> but I'm afraid this'll become a documentation discussion in a blink
> of an eye.
Security by obscurity is far more dangerous. It's as easy to snoop a
cookie as a URL, both are plain text going over the wire. IP spoofing
is harder, but readily available to an attacker, so restrictring the
IP is not only not a good security measure, it's preventing valid
access, too (my DSL router reconnects regularily, it gets a different
IP address each time, poof, session lost).
Anyone starting with Seaside rightfully wonders about those funny
URLs, and if it is explained thoroughly what these mean, the security
implications are obvious. If the inner workings are hidden by cookies
then it becomes much more magical, and people would assume that the
framework will magically do everything for them.
- Bert -
More information about the Seaside