Passing links around - a security issue?
Locked
 
|
Hi
One thought: Is it a security issue to pass links generated by Seaside to someone else? Is it possible to hijack the session this way? Consider this: You log on to a seaside site. You copy a link from inside the site and pass it to someone else (by e-mail for example). That someone else clicks on your link and has gained access to your session. Hopefully I have this completely wrong and am just talking nonsense. If not, what is the correct and safe way to pass links (to internal sources) to external parties? Thanks, JP _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
RE: Passing links around - a security issue?
|
|
> -----Original Message-----
> From: [hidden email] > [mailto:[hidden email]] On Behalf > Of Jens Pall > Sent: Wednesday, January 24, 2007 5:49 AM > To: The Squeak Enterprise Aubergines Server - general discussion. > Subject: [Seaside] Passing links around - a security issue? > > Hi > > One thought: Is it a security issue to pass links generated > by Seaside to someone else? Is it possible to hijack the > session this way? > > Consider this: > > You log on to a seaside site. > You copy a link from inside the site and pass it to someone > else (by e-mail for example). > That someone else clicks on your link and has gained access > to your session. > > Hopefully I have this completely wrong and am just talking > nonsense. If not, what is the correct and safe way to pass > links (to internal > sources) to external parties? > > Thanks, > JP This isn't just a Seaside thing, it's an issue with any framework that enables cookieless sessions. As with those other frameworks, you can choose to keep the session id in the url, or in the cookie. Seaside is no different than other frameworks in this regard other than that it defaults to cookie less mode where most frameworks default to cookie based sessions. Ramon Leon http://onsmalltalk.com _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
Ramon Leon wrote:
>> -----Original Message----- >> From: [hidden email] >> [mailto:[hidden email]] On Behalf >> Of Jens Pall >> Sent: Wednesday, January 24, 2007 5:49 AM >> To: The Squeak Enterprise Aubergines Server - general discussion. >> Subject: [Seaside] Passing links around - a security issue? >> >> Hi >> >> One thought: Is it a security issue to pass links generated >> by Seaside to someone else? Is it possible to hijack the >> session this way? >> >> Consider this: >> >> You log on to a seaside site. >> You copy a link from inside the site and pass it to someone >> else (by e-mail for example). >> That someone else clicks on your link and has gained access >> to your session. >> >> Hopefully I have this completely wrong and am just talking >> nonsense. If not, what is the correct and safe way to pass >> links (to internal >> sources) to external parties? >> >> Thanks, >> JP > > This isn't just a Seaside thing, it's an issue with any framework that > enables cookieless sessions. As with those other frameworks, you can choose > to keep the session id in the url, or in the cookie. Seaside is no > different than other frameworks in this regard other than that it defaults > to cookie less mode where most frameworks default to cookie based sessions. > > Ramon Leon > http://onsmalltalk.com > > _______________________________________________ > Seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > > Yes, of course - silly me. I was so engrossed in the specific way Seaside encodes the url that I forgot to think about this in a more general way. Thanks for putting me straight. Cheers, JP _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
RE: Passing links around - a security issue?
|
|
In reply to this post by Ramon Leon-5
On the other hand, if this is a critical security issue, it might be possible to navigate the object graph (session -> currentRequest -> nativeRequest and so on) and get the peer's ip address and restrict the session to that specific ip address. I must admit that this is just an idea to explore, I never tried it. Michel > -----Original Message----- > From: [hidden email] > [mailto:[hidden email]] On Behalf > Of Ramon Leon > Sent: mercredi, 24. janvier 2007 19:10 > To: 'The Squeak Enterprise Aubergines Server - general discussion.' > Subject: RE: [Seaside] Passing links around - a security issue? > > > -----Original Message----- > > From: [hidden email] > > [mailto:[hidden email]] On > Behalf Of Jens > > Pall > > Sent: Wednesday, January 24, 2007 5:49 AM > > To: The Squeak Enterprise Aubergines Server - general discussion. > > Subject: [Seaside] Passing links around - a security issue? > > > > Hi > > > > One thought: Is it a security issue to pass links generated > by Seaside > > to someone else? Is it possible to hijack the session this way? > > > > Consider this: > > > > You log on to a seaside site. > > You copy a link from inside the site and pass it to someone > else (by > > e-mail for example). > > That someone else clicks on your link and has gained access to your > > session. > > > > Hopefully I have this completely wrong and am just talking > nonsense. > > If not, what is the correct and safe way to pass links (to internal > > sources) to external parties? > > > > Thanks, > > JP > > This isn't just a Seaside thing, it's an issue with any > framework that enables cookieless sessions. As with those > other frameworks, you can choose to keep the session id in > the url, or in the cookie. Seaside is no different than > other frameworks in this regard other than that it defaults > to cookie less mode where most frameworks default to cookie > based sessions. > > Ramon Leon > http://onsmalltalk.com > > _______________________________________________ > Seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Passing links around - a security issue?
|
|
> On the other hand, if this is a critical security issue, it might be
> possible > to navigate the object graph (session -> currentRequest -> nativeRequest > and so on) > and get the peer's ip address and restrict the session to that specific > ip address. > > I must admit that this is just an idea to explore, I never tried it. Back in 2004 I implemented a decoration class called WASessionProtector to Seaside that does exactly that. Added around the root component it remembers the IP from the first request and only let subsequent requests pass that origin from the same IP. Of course this does not provide an absolute security, but it is much more than doing nothing. Cheers, Lukas -- Lukas Renggli http://www.lukas-renggli.ch _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Passing links around - a security issue?
|
|
On 24 Jan 2007, at 20:37 , Lukas Renggli wrote: >> On the other hand, if this is a critical security issue, it might be >> possible >> to navigate the object graph (session -> currentRequest -> >> nativeRequest >> and so on) >> and get the peer's ip address and restrict the session to that >> specific >> ip address. >> >> I must admit that this is just an idea to explore, I never tried it. > > Back in 2004 I implemented a decoration class called > WASessionProtector to Seaside that does exactly that. Added around the > root component it remembers the IP from the first request and only let > subsequent requests pass that origin from the same IP. Of course this > does not provide an absolute security, but it is much more than doing > nothing. Cool! I just saw it in the base Seaside package and it is also in the VW port. However I do not know if this works in VW. Has anyone tried it in WebToolkit? In Swazoo? Michel. _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Passing links around - a security issue?
|
|
In reply to this post by Jens Pall
I use it on VisualWorks with swazoo, works fine. Still have to consider the fact that most networks are nat'ed so its not a complete solution, but it helps. We also use cookies for session tracking, so its a little harder to pick up a session on a different computer. _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
«
Return to Seaside General
|
1 view|%1 views
| Free forum by Nabble | Edit this page |