[Seaside-dev] RE: Rekeying Sessions
Adrian Lienhard
adi at netstyle.ch
Wed Mar 18 22:49:58 UTC 2009
I haven't followed this discussion closely, but hijacking a session
from a referrer log is another thread if the session key is stored in
the URL.
Adrian
On Mar 18, 2009, at 23:32 , Boris Popov wrote:
> Yes, there are two ways why they say it's a risk,
>
> - people tend to copy-paste URLs from address bar when they want to
> share them with other folks for legitimate reasons; when done within
> an office behind a common firewall, session protector won't stop
> users from unintentionally accessing each other's sessions in this
> scenario
>
> - a more sinister angle is someone simply looking over user's
> shoulder and typing the same address in their browser; again, if
> done within the same internet café then attacker won't be stopped by
> a session protector
>
> Cookie addresses both scenarios by hiding session key from the user.
>
> Cheers!
>
> -Boris
>
> --
> +1.604.689.0322
> DeepCove Labs Ltd.
> 4th floor 595 Howe Street
> Vancouver, Canada V6C 2T5
> http://tinyurl.com/r7uw4
>
> boris at deepcovelabs.com
>
> CONFIDENTIALITY NOTICE
>
> This email is intended only for the persons named in the message
> header. Unless otherwise indicated, it contains information that is
> private and confidential. If you have received it in error, please
> notify the sender and delete the entire message including any
> attachments.
>
> Thank you.
> -----Original Message-----
> From: seaside-dev-bounces at lists.squeakfoundation.org [mailto:seaside-dev-bounces at lists.squeakfoundation.org
> ] On Behalf Of Julian Fitzell
> Sent: Wednesday, March 18, 2009 3:09 PM
> To: Seaside - developer list
> Subject: Re: [Seaside-dev] RE: Rekeying Sessions
>
> On Wed, Mar 18, 2009 at 10:52 PM, Philippe Marschall <philippe.marschall at gmail.com
> > wrote:
>> 2009/3/18 Boris Popov <boris at deepcovelabs.com>:
>>> Julian,
>>>
>>> Most certainly, there's really nothing in there that isn't generally
>>> known to Seaside folks already. There really were only 3.5 issues
>>> raised,
>>>
>>> 1. Session ID Stored in URL (Medium)
>>
>> I don't agree with this one. I don't see why additionally writing the
>> session id to disk (that's what browsers do) adds any security. You
>> still transmit it with every request, just in a different part of the
>> HTTP header.
>
> Presumably the issue they were concerned about is people passing
> URLs around, no?
>
> Julian
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
More information about the seaside-dev
mailing list