[Seaside-dev] RE: Rekeying Sessions
Adrian Lienhard
adi at netstyle.ch
Wed Mar 18 23:20:05 UTC 2009
well, it's not your log but the logs of some other website to which
you link.
Adrian
On Mar 18, 2009, at 23:54 , Boris Popov wrote:
> True enough, although that assumes higher sophistication and in our
> specific case we don't store access logs, so it didn't come up.
>
> -Boris
>
> --
> +1.604.689.0322
> DeepCove Labs Ltd.
> 4th floor 595 Howe Street
> Vancouver, Canada V6C 2T5
> http://tinyurl.com/r7uw4
>
> boris at deepcovelabs.com
>
> CONFIDENTIALITY NOTICE
>
> This email is intended only for the persons named in the message
> header. Unless otherwise indicated, it contains information that is
> private and confidential. If you have received it in error, please
> notify the sender and delete the entire message including any
> attachments.
>
> Thank you.
> -----Original Message-----
> From: seaside-dev-bounces at lists.squeakfoundation.org [mailto:seaside-dev-bounces at lists.squeakfoundation.org
> ] On Behalf Of Adrian Lienhard
> Sent: Wednesday, March 18, 2009 3:50 PM
> To: Seaside - developer list
> Subject: Re: [Seaside-dev] RE: Rekeying Sessions
>
> I haven't followed this discussion closely, but hijacking a session
> from a referrer log is another thread if the session key is stored
> in the URL.
>
> Adrian
>
> On Mar 18, 2009, at 23:32 , Boris Popov wrote:
>
>> Yes, there are two ways why they say it's a risk,
>>
>> - people tend to copy-paste URLs from address bar when they want to
>> share them with other folks for legitimate reasons; when done within
>> an office behind a common firewall, session protector won't stop
>> users
>> from unintentionally accessing each other's sessions in this scenario
>>
>> - a more sinister angle is someone simply looking over user's
>> shoulder
>> and typing the same address in their browser; again, if done within
>> the same internet café then attacker won't be stopped by a session
>> protector
>>
>> Cookie addresses both scenarios by hiding session key from the user.
>>
>> Cheers!
>>
>> -Boris
>>
>> --
>> +1.604.689.0322
>> DeepCove Labs Ltd.
>> 4th floor 595 Howe Street
>> Vancouver, Canada V6C 2T5
>> http://tinyurl.com/r7uw4
>>
>> boris at deepcovelabs.com
>>
>> CONFIDENTIALITY NOTICE
>>
>> This email is intended only for the persons named in the message
>> header. Unless otherwise indicated, it contains information that is
>> private and confidential. If you have received it in error, please
>> notify the sender and delete the entire message including any
>> attachments.
>>
>> Thank you.
>> -----Original Message-----
>> From: seaside-dev-bounces at lists.squeakfoundation.org
>> [mailto:seaside-dev-bounces at lists.squeakfoundation.org
>> ] On Behalf Of Julian Fitzell
>> Sent: Wednesday, March 18, 2009 3:09 PM
>> To: Seaside - developer list
>> Subject: Re: [Seaside-dev] RE: Rekeying Sessions
>>
>> On Wed, Mar 18, 2009 at 10:52 PM, Philippe Marschall
>> <philippe.marschall at gmail.com
>>> wrote:
>>> 2009/3/18 Boris Popov <boris at deepcovelabs.com>:
>>>> Julian,
>>>>
>>>> Most certainly, there's really nothing in there that isn't
>>>> generally
>>>> known to Seaside folks already. There really were only 3.5 issues
>>>> raised,
>>>>
>>>> 1. Session ID Stored in URL (Medium)
>>>
>>> I don't agree with this one. I don't see why additionally writing
>>> the
>>> session id to disk (that's what browsers do) adds any security. You
>>> still transmit it with every request, just in a different part of
>>> the
>>> HTTP header.
>>
>> Presumably the issue they were concerned about is people passing URLs
>> around, no?
>>
>> Julian
>> _______________________________________________
>> seaside-dev mailing list
>> seaside-dev at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>> _______________________________________________
>> seaside-dev mailing list
>> seaside-dev at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
More information about the seaside-dev
mailing list