[Seaside-dev] RE: Rekeying Sessions
Julian Fitzell
jfitzell at gmail.com
Wed Mar 18 08:50:35 UTC 2009
Hi Boris,
Thanks for the suggestion. I filed
http://code.google.com/p/seaside/issues/detail?id=368 for this. There
a handful of security-related feature requests relating to sessions
and cookies in there at the moment.
I understand you might not want to share details, particularly before
you have addressed the issues, but I'm sure we would all be interested
to hear, even in general terms, what other kinds of issues were raised
in your audit. So if at any point you feel you are able to share more
(even off-list if need be) that would be very interesting.
Cheers,
Julian
On Wed, Mar 18, 2009 at 12:24 AM, Boris Popov <boris at deepcovelabs.com> wrote:
> It looks like the following is needed when using cookies,
>
> rekey
> self application changeKeyForHandler: self.
> self useSessionCookie ifTrue: [self redirectWithCookie: self
> sessionCookie].
>
> -Boris
>
> --
> +1.604.689.0322
> DeepCove Labs Ltd.
> 4th floor 595 Howe Street
> Vancouver, Canada V6C 2T5
> http://tinyurl.com/r7uw4
>
> boris at deepcovelabs.com
>
> CONFIDENTIALITY NOTICE
>
> This email is intended only for the persons named in the message header.
> Unless otherwise indicated, it contains information that is private and
> confidential. If you have received it in error, please notify the sender
> and delete the entire message including any attachments.
>
> Thank you.
> -----Original Message-----
> From: Boris Popov
> Sent: Tuesday, March 17, 2009 3:18 PM
> To: 'seaside-dev at lists.squeakfoundation.org'
> Subject: Rekeying Sessions
>
> Hey,
>
> Our auditors had recently completed comprehensive penetration testing of
> our Seaside-based applications and one of the medium-priority
> recommendations they had was to issue different session id after login
> (see attached comments). It later became "low priority" when we
> demonstrated that attacker's source IP needed to match because we used
> session protector.
>
> Here's a snippet for 2.8 that appears to do the trick (not very well
> tested yet), but I thought this might be worth including in base for
> 2.9?
>
> WASession>>rekey
> self application changeKeyForHandler: self.
>
> WARegistry>>changeKeyForHandler: anObject
> self mutex
> critical:
> [(keysByHandler at: anObject ifAbsent: [nil])
> ifNotNil:
> [:key |
> keysByHandler removeKey: anObject.
> handlersByKey removeKey: key]].
> ^self ensureKeyForHandler: anObject.
>
> This all comes together in a task,
>
> LoginTask>>go
> login := Login new.
> [self login] whileFalse.
> self session rekey.
> self call: menu.
>
> Hope this helps,
>
> -Boris
>
> --
> +1.604.689.0322
> DeepCove Labs Ltd.
> 4th floor 595 Howe Street
> Vancouver, Canada V6C 2T5
> http://tinyurl.com/r7uw4
>
> boris at deepcovelabs.com
>
> CONFIDENTIALITY NOTICE
>
> This email is intended only for the persons named in the message header.
> Unless otherwise indicated, it contains information that is private and
> confidential. If you have received it in error, please notify the sender
> and delete the entire message including any attachments.
>
> Thank you.
>
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>
More information about the seaside-dev
mailing list