|
verence
verence at web.de
Sun Jun 8 20:17:23 EST 2003
Dustin Mitchell wrote: > On Sun, Jun 08, 2003 at 11:24:33AM -0600, Gre7g Luterman wrote: > >>>- - Permanent and temporary sessions. Every website uses cookies for >>>only one thing - sessions. We should have this built in by default. >> >>Personally, I prefer to pass a variable SID around with each link and >>form. Yeah, it's not as convenient as a cookie, but at least you >>don't have to worry about cookies being enabled. Plus, it is >>available on the first page load and it is compatible with CGI's I >>wrote before getting into mod_python, where it was too tricky to >>modify headers to set one. > > > And it's less secure. If I hand someone a link like > > http://www.yoursite.com/SID=209354634 > > Then get them to log in (and thus initiate that session), then I can hijack > their session by using the same URL. At least with cookies it's much harder > to get someone to install a cookie for a foreign site on their browser. > > Be careful! > > Dustin > hi, this common problem was solved very often, one way is to recalculate the SID for every response you send back according to the SID you got from the request (and keep track of the SIDs during a session). a much easier way is to maintain a pool of SIDs actually beeing used and throw away the unused ones (after a session timeout), wether with a scheduled thread or a check everytime a SID arrives from a client. in fact, this mechanism most java servlet engines use (wether they store the id in a cookie or as a parameter). and it only seem that cookies are more secure, it is easy to fake them. this session thingy is (from my pov) a real security bottleneck, so i just can repeat your words... be carful... :) greets
|