[Seaside-dev] RE: Rekeying Sessions
Boris Popov
boris at deepcovelabs.com
Thu Mar 19 15:52:22 UTC 2009
Philippe,
I totally know what you mean, but the name of the game we play is called Tier 1 PCI DSS and there the question isn't so much about what is "practical", but rather what is "possible". Technically auditor's classification of "Session ID in the URL" is a Medium-Low (thanks to a session protector), which means we can pass our audit this time, but their standards are tightening every year and we'd rather not even think about it too much and move to cookies as soon as possible.
Cheers!
-Boris
--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4
boris at deepcovelabs.com
CONFIDENTIALITY NOTICE
This email is intended only for the persons named in the message header. Unless otherwise indicated, it contains information that is private and confidential. If you have received it in error, please notify the sender and delete the entire message including any attachments.
Thank you.
-----Original Message-----
From: seaside-dev-bounces at lists.squeakfoundation.org [mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of Philippe Marschall
Sent: Wednesday, March 18, 2009 11:40 PM
To: Seaside - developer list
Subject: Re: [Seaside-dev] RE: Rekeying Sessions
2009/3/18 Boris Popov <boris at deepcovelabs.com>:
> Yes, there are two ways why they say it's a risk,
>
> - people tend to copy-paste URLs from address bar when they want to
> share them with other folks for legitimate reasons; when done within
> an office behind a common firewall, session protector won't stop users
> from unintentionally accessing each other's sessions in this scenario
>
> - a more sinister angle is someone simply looking over user's shoulder
> and typing the same address in their browser; again, if done within
> the same internet café then attacker won't be stopped by a session
> protector
And retyping the session and continuation key? Yeah right, I can totally see that happening, "Uhm, excuse me for a second, could you move your head away for a second? I can not see whether that is a I or l in your session key there."
Philippe
_______________________________________________
seaside-dev mailing list
seaside-dev at lists.squeakfoundation.org
http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
More information about the seaside-dev
mailing list