[mod_python] Announcement: Roadkill version 0.01 "Kitten"

David Fraser davidf at sjsoft.com
Sun Jun 8 22:11:16 EST 2003 

verence wrote:

> Dustin Mitchell wrote:
>
>> On Sun, Jun 08, 2003 at 11:24:33AM -0600, Gre7g Luterman wrote:
>>
>>>> - - Permanent and temporary sessions. Every website uses cookies for
>>>> only one thing - sessions. We should have this built in by default.
>>>
>>>
>>> Personally, I prefer to pass a variable SID around with each link 
>>> and form. Yeah, it's not as convenient as a cookie, but at least you 
>>> don't have to worry about cookies being enabled. Plus, it is 
>>> available on the first page load and it is compatible with CGI's I 
>>> wrote before getting into mod_python, where it was too tricky to 
>>> modify headers to set one.
>>
>>
>>
>> And it's less secure. If I hand someone a link like
>>
>> http://www.yoursite.com/SID=209354634
>>
>> Then get them to log in (and thus initiate that session), then I can 
>> hijack
>> their session by using the same URL. At least with cookies it's much 
>> harder
>> to get someone to install a cookie for a foreign site on their browser.
>>
>> Be careful!
>>
>> Dustin
>>
> hi,
>
> this common problem was solved very often, one way is to recalculate 
> the SID for every response you send back according to the SID you got 
> from the request (and keep track of the SIDs during a session). a much 
> easier way is to maintain a pool of SIDs actually beeing used and 
> throw away the unused ones (after a session timeout), wether with a 
> scheduled thread or a check everytime a SID arrives from a client. in 
> fact, this mechanism most java servlet engines use (wether they store 
> the id in a cookie or as a parameter). and it only seem that cookies 
> are more secure, it is easy to fake them. this session thingy is (from 
> my pov) a real security bottleneck, so i just can repeat your words...
>
> be carful... :)
>
> greets 

Actually what needs to be ensured is that the SID is secure.
We have a system where we use cookies, and the SID is a md5 hash of the 
timestamp, username, password, and a secret string. That way it can't be 
forged and we can keep track of sessions based on timestamp.

David

More information about the Mod_python mailing list