[mod_python] Announcement: Roadkill version 0.01 "Kitten"

verence verence at web.de
Sun Jun 8 20:17:23 EST 2003

Dustin Mitchell wrote:
> On Sun, Jun 08, 2003 at 11:24:33AM -0600, Gre7g Luterman wrote:
>>>- - Permanent and temporary sessions. Every website uses cookies for
>>>only one thing - sessions. We should have this built in by default.
>>Personally, I prefer to pass a variable SID around with each link and 
>>form.  Yeah, it's not as convenient as a cookie, but at least you 
>>don't have to worry about cookies being enabled.  Plus, it is 
>>available on the first page load and it is compatible with CGI's I 
>>wrote before getting into mod_python, where it was too tricky to 
>>modify headers to set one.
> And it's less secure.  If I hand someone a link like
>   http://www.yoursite.com/SID=209354634
> Then get them to log in (and thus initiate that session), then I can hijack
> their session by using the same URL.  At least with cookies it's much harder
> to get someone to install a cookie for a foreign site on their browser.
> Be careful!
> Dustin

this common problem was solved very often, one way is to recalculate the 
SID for every response you send back according to the SID you got from 
the request (and keep track of the SIDs during a session). a much easier 
way is to maintain a pool of SIDs actually beeing used and throw away 
the unused ones (after a session timeout), wether with a scheduled 
thread or a check everytime a SID arrives from a client. in fact, this 
mechanism most java servlet engines use (wether they store the id in a 
cookie or as a parameter). and it only seem that cookies are more 
secure, it is easy to fake them. this session thingy is (from my pov) a 
real security bottleneck, so i just can repeat your words...

be carful... :)


More information about the Mod_python mailing list