[Seaside] Seaside session stealing

Nevin Pratt nevin at bountifulbaby.com
Wed Apr 22 00:31:21 UTC 2009

Hi everyone,

Seaside sessions can be "stolen" with something as simple as user's 
sharing a URL (one person emailing a URL to another person, for 
example).  There are various ways to guard against this problem.  This 
email is a discussion of some of those ways.

The obvious (non)solution is to configure Seaside to use cookies for the 
session data.  The reason I say it is a *non*-solution is because users 
cannot have more than one window open to your website with this method, 
because the cookie is shared with all windows of the browser.  Also, 
some users have browser cookies turned off, thereby cutting off all 
access to a Seaside website that is using session cookies.

Another idea is to look at the IP of the user.  But, at one time, AOL 
users (using AOL's proxy servers) would often have their IP changed with 
(potentially) *every* request, thus making it completely unpractical to 
rely on the user's IP.

However, in late 2006, AOL agreed to send /X-Forwarded-For/ headers, 
which now are supposed to accurately identify AOL users' home IP 
addresses.  Here is a Wikipedia reference for more information on this:


With this change in AOL, I am thinking that *maybe* it is now practical 
to guard against Seaside session stealing via simple IP checks, with 
something like the following code:

   | currentAccessIP |
    currentAccessIP :=  self session currentRequest nativeRequest 
                                         headerAt: 'x-forwarded-for'
                                         ifAbsent: [].
    currentAccessIP ~= lastClientAccessIP ifTrue: ["the Seaside session 
has been stolen"].

(obviously "lastClientAccessIP" would have had to have already been set, 
via the user's very first hit to the website)

But I'm not sure if this would be sufficient.  That's my question to 
everyone-- do you think IP checks can now be relied upon to guard 
against session stealing, or not?

I've looked at some PHP code that approached the session-stealing 
problem with a simple "remember me" cookie.  The "remember me" cookie is 
uniquely set when the user first starts interacting with the website, 
and then if a subsequent request does not have the cookie, the session 
is deemed to have been stolen.  But, obviously this approach does not 
work for users that turn cookies off.

Another approach I've wondered about (and seems quite secure) is the 

1. Use an IP check-- if the IP is the same, the session is NOT stolen.

2. If the IP is different, then check for a "remember me" cookie.  If a 
proper "remember me" cookie exists, then the session is NOT stolen.

3. If the above two checks fail, then assume the session is stolen.

But I'm not sure if something that elaborate is really needed any more.  
I'm thinking that possibly a simple IP check will suffice these days.  
But I'm scared to try only doing an IP check, and nothing else :-) :-)

Does anybody else have any thoughts on this?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20090421/81c20f0b/attachment.htm

More information about the seaside mailing list