[Seaside] sharing sessions through links..
Julian Fitzell
jfitzell at gmail.com
Tue Oct 28 09:37:34 UTC 2008
On Tue, Oct 28, 2008 at 7:32 AM, radoslav hodnicak <rh at 4096.sk> wrote:
>
> Using HTTP Auth solves this problem quite nicely. The user/password
> combination is sent with every browser request, so if it's not there you
> know it's not your original user.
Except that it requires SSL for every page request to ensure the
password is secure (otherwise someone can hijack not just your session
but your whole account). It also isn't any better than the extra
cookie solution (cookies are also sent on every request) in that it
doesn't actually identify the *user* at the end of the connection;
only the *browser*. If the user has walked away, we won't know. And if
the user has changed browsers, it won't work.
As an aside, this why you should ask for a user's password again (even
if they are in an authenticated session) before making changes to
their account. The session is only identifying (at best) the browser
and could be used by someone who sniffed the (non-SSL-encrypted)
session keys and cookies or at a computer after the legitimate user
walked away. Any privileges granted to a session are as vulnerable as
the session so, if you don't make changing email addresses and
passwords and so on require a password, you are leaving yourself open
for session-hijackings to escalate into account-hijackings.
Julian
More information about the seaside
mailing list