[Seaside] Session (in)security?
Boris Popov
boris at deepcovelabs.com
Fri Jun 16 14:24:52 UTC 2006
Right, so why not pick the least evil of the two? There isn't a perfect
security model out there, but given the choice of a cookie and plain text
url I'd go for cookie 10 times out of 10.
-Boris
--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
boris at deepcovelabs.com
CONFIDENTIALITY NOTICE
This email is intended only for the persons named in the message
header. Unless otherwise indicated, it contains information that is
private and confidential. If you have received it in error, please
notify the sender and delete the entire message including any
attachments.
Thank you.
-----Original Message-----
From: seaside-bounces at lists.squeakfoundation.org
[mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf Of Adrian
Lienhard
Sent: Friday, June 16, 2006 2:58 AM
To: The Squeak Enterprise Aubergines Server - general discussion.
Subject: Re: [Seaside] Session (in)security?
On Jun 16, 2006, at 11:16 , Bert Freudenberg wrote:
[..]
> Anyone starting with Seaside rightfully wonders about those funny
> URLs, and if it is explained thoroughly what these mean, the
> security implications are obvious.
I agree, but are the implications really that obvious (because, as
usual, they are not explained)...
What nobody mentioned so far is not only the problem when you mail an
URL to somebody but the much more subtle transfer of an URL by the
referer field in the HTTP header. If you have links in your
application that point to some other web site, your URL is disclosed
to this server (the referer field is typically added to the log files).
Adrian
_______________________________________________
Seaside mailing list
Seaside at lists.squeakfoundation.org
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3370 bytes
Desc: not available
Url : http://lists.squeakfoundation.org/pipermail/seaside/attachments/20060616/22d62eb7/smime.bin
More information about the Seaside
mailing list