[Seaside-dev] RE: Rekeying Sessions
Julian Fitzell
jfitzell at gmail.com
Thu Mar 19 07:45:12 UTC 2009
IP Spoofing is easy... and if you have the referer log entry you know
what IP they were using.
On Thu, Mar 19, 2009 at 7:40 AM, Philippe Marschall
<philippe.marschall at gmail.com> wrote:
> That's what the session protector is for.
>
> 2009/3/18 Adrian Lienhard <adi at netstyle.ch>:
>> I haven't followed this discussion closely, but hijacking a session from a
>> referrer log is another thread if the session key is stored in the URL.
>>
>> Adrian
>>
>> On Mar 18, 2009, at 23:32 , Boris Popov wrote:
>>
>>> Yes, there are two ways why they say it's a risk,
>>>
>>> - people tend to copy-paste URLs from address bar when they want to share
>>> them with other folks for legitimate reasons; when done within an office
>>> behind a common firewall, session protector won't stop users from
>>> unintentionally accessing each other's sessions in this scenario
>>>
>>> - a more sinister angle is someone simply looking over user's shoulder and
>>> typing the same address in their browser; again, if done within the same
>>> internet café then attacker won't be stopped by a session protector
>>>
>>> Cookie addresses both scenarios by hiding session key from the user.
>>>
>>> Cheers!
>>>
>>> -Boris
>>>
>>> --
>>> +1.604.689.0322
>>> DeepCove Labs Ltd.
>>> 4th floor 595 Howe Street
>>> Vancouver, Canada V6C 2T5
>>> http://tinyurl.com/r7uw4
>>>
>>> boris at deepcovelabs.com
>>>
>>> CONFIDENTIALITY NOTICE
>>>
>>> This email is intended only for the persons named in the message header.
>>> Unless otherwise indicated, it contains information that is private and
>>> confidential. If you have received it in error, please notify the sender and
>>> delete the entire message including any attachments.
>>>
>>> Thank you.
>>> -----Original Message-----
>>> From: seaside-dev-bounces at lists.squeakfoundation.org
>>> [mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of Julian
>>> Fitzell
>>> Sent: Wednesday, March 18, 2009 3:09 PM
>>> To: Seaside - developer list
>>> Subject: Re: [Seaside-dev] RE: Rekeying Sessions
>>>
>>> On Wed, Mar 18, 2009 at 10:52 PM, Philippe Marschall
>>> <philippe.marschall at gmail.com> wrote:
>>>>
>>>> 2009/3/18 Boris Popov <boris at deepcovelabs.com>:
>>>>>
>>>>> Julian,
>>>>>
>>>>> Most certainly, there's really nothing in there that isn't generally
>>>>> known to Seaside folks already. There really were only 3.5 issues
>>>>> raised,
>>>>>
>>>>> 1. Session ID Stored in URL (Medium)
>>>>
>>>> I don't agree with this one. I don't see why additionally writing the
>>>> session id to disk (that's what browsers do) adds any security. You
>>>> still transmit it with every request, just in a different part of the
>>>> HTTP header.
>>>
>>> Presumably the issue they were concerned about is people passing URLs
>>> around, no?
>>>
>>> Julian
>>> _______________________________________________
>>> seaside-dev mailing list
>>> seaside-dev at lists.squeakfoundation.org
>>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>>> _______________________________________________
>>> seaside-dev mailing list
>>> seaside-dev at lists.squeakfoundation.org
>>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>>
>> _______________________________________________
>> seaside-dev mailing list
>> seaside-dev at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>>
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>
More information about the seaside-dev
mailing list