[Seaside-dev] RE: Rekeying Sessions

Boris Popov boris at deepcovelabs.com
Wed Mar 18 22:32:05 UTC 2009 

Yes, there are two ways why they say it's a risk,

- people tend to copy-paste URLs from address bar when they want to share them with other folks for legitimate reasons; when done within an office behind a common firewall, session protector won't stop users from unintentionally accessing each other's sessions in this scenario

- a more sinister angle is someone simply looking over user's shoulder and typing the same address in their browser; again, if done within the same internet café then attacker won't be stopped by a session protector

Cookie addresses both scenarios by hiding session key from the user.

Cheers!

-Boris

-- 
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

boris at deepcovelabs.com

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header. Unless otherwise indicated, it contains information that is private and confidential. If you have received it in error, please notify the sender and delete the entire message including any attachments.

Thank you.
-----Original Message-----
From: seaside-dev-bounces at lists.squeakfoundation.org [mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of Julian Fitzell
Sent: Wednesday, March 18, 2009 3:09 PM
To: Seaside - developer list
Subject: Re: [Seaside-dev] RE: Rekeying Sessions

On Wed, Mar 18, 2009 at 10:52 PM, Philippe Marschall <philippe.marschall at gmail.com> wrote:
> 2009/3/18 Boris Popov <boris at deepcovelabs.com>:
>> Julian,
>>
>> Most certainly, there's really nothing in there that isn't generally 
>> known to Seaside folks already. There really were only 3.5 issues 
>> raised,
>>
>> 1. Session ID Stored in URL (Medium)
>
> I don't agree with this one. I don't see why additionally writing the 
> session id to disk (that's what browsers do) adds any security. You 
> still transmit it with every request, just in a different part of the 
> HTTP header.

Presumably the issue they were concerned about is people passing URLs around, no?

Julian
_______________________________________________
seaside-dev mailing list
seaside-dev at lists.squeakfoundation.org
http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev

More information about the seaside-dev mailing list