NAT'd IP's Re: [Seaside] Seaside session stealing

Boris Popov boris at deepcovelabs.com
Wed Apr 22 04:26:28 UTC 2009 

WASessionProtector + Cookies + SSL? We recently passed a strict audit which deemed this solution to be just that, "good enough". There are no perfectly secure applications out there.

-Boris (via BlackBerry)

________________________________

From: seaside-bounces at lists.squeakfoundation.org 
To: Seaside - general discussion 
Sent: Tue Apr 21 20:58:54 2009
Subject: Re: NAT'd IP's Re: [Seaside] Seaside session stealing 


Yes, but sometimes there's a "good enough" solution.  It depends on your security needs.

On my Seaside site, all that a security breach reveals is the postal address of the person that got "breached".  No financial data is compromised.  And, if a person is sophisticated enough to sniff the packets, they are sophisticated enough to discover a person's postal address some other way anyway (for example, by looking through a local phone book).

I don't know that SSL is needed for such a small security issue.

But, if a normal user shares a URL with another normal user, it might upset them to see the address of the first person on the website due to a session hijacking.

So, I just need to detect these simple cases, and handle it gracefully.

Nevin



	If one can sniff the TCP traffic between server and user, there is no
	difference how you pass a session id - using cookies or unique URL -
	because both can be extracted from packets.
	I think that except SSL, there is no really secure solution.
	
	
	2009/4/22 Nevin Pratt <nevin at bountifulbaby.com> <mailto:nevin at bountifulbaby.com> :
	  

			Please don't make the mistake of presuming "ip == user".
			
			You've already identified the case (behind a NAT) where many users share
			the
			same IP, but consider also the "walled garden" of AOL users, where the
			same
			user can come in from different IPs during a single session.
			
			You must allow for that.
			
			
			      

		Are you sure we still have to allow for that? Â AOL made changes in late
		2006:
		
		Â  Â  http://en.wikipedia.org/wiki/Wikipedia:AOL
		
		But, it really doesn't matter if AOL "walled gardens" are still a problem or
		not, because the NAT problem is still there. Â So, doing a simple IP check is
		still a problem anyway.
		
		Nevin
		_______________________________________________
		seaside mailing list
		seaside at lists.squeakfoundation.org
		http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
		
		    

	
	
	
	  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20090421/6b435f65/attachment.htm

More information about the seaside mailing list