sharing sessions through links..
Locked
12
12
sharing sessions through links..
 
|
hey, guys.. one quick question after watching the seaside movie last night.. pretend i have an application like ebay written in seaside.. so, i log into my account.. check my bids.. then, i do a search for something.. during that search, i find something my friend would really like.. so i send the link to my friend.. now.. suppose he immediately clicks it (i sent it over IM..) does he now have full access to my session, including my account information? ___ peace, sergio photographer, journalist, visionary www.village-buzz.com _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
On Mon, Oct 27, 2008 at 3:02 PM, sergio <[hidden email]> wrote:
> > hey, guys.. > > one quick question after watching the seaside movie last night.. > > pretend i have an application like ebay written in seaside.. > > so, i log into my account.. > > check my bids.. > > then, i do a search for something.. > > during that search, i find something my friend would really like.. > > so i send the link to my friend.. > > now.. suppose he immediately clicks it (i sent it over IM..) > > does he now have full access to my session, including my account > information? Unless you take action to prevent it, yes. This problem isn't unique to Seaside, of course; any system with session keys in URLs will be have the same problem. You can, of course, configure the session key to be stored in cookies, which eliminates the problem. Or you can use a WASessionProtector to prevent the IP address of the user from changing. Note that in either case, you would need to make sure to include enough information in the URL via #updateUrl: that a new session could be built pointing to the right item. Julian _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
>>>>> "Julian" == Julian Fitzell <[hidden email]> writes:
Julian> Unless you take action to prevent it, yes. This problem isn't unique Julian> to Seaside, of course; any system with session keys in URLs will be Julian> have the same problem. You can, of course, configure the session key Julian> to be stored in cookies, which eliminates the problem. Of course, you trade one problem for another there. If you use session cookies, you won't be able to have a single browser with two separate sessions in two separate windows, because the cookie is browser-wide. Perhaps, you could add a cookie to identify a particular browser, and then use Seaside sessions in the URL to identify a particular session for a particular browser. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
On Mon, Oct 27, 2008 at 4:06 PM, Randal L. Schwartz
<[hidden email]> wrote: >>>>>> "Julian" == Julian Fitzell <[hidden email]> writes: > > Julian> Unless you take action to prevent it, yes. This problem isn't unique > Julian> to Seaside, of course; any system with session keys in URLs will be > Julian> have the same problem. You can, of course, configure the session key > Julian> to be stored in cookies, which eliminates the problem. > > Of course, you trade one problem for another there. If you use session > cookies, you won't be able to have a single browser with two separate sessions > in two separate windows, because the cookie is browser-wide. Of course. > Perhaps, you could add a cookie to identify a particular browser, and then use > Seaside sessions in the URL to identify a particular session for a particular > browser. Yup. That would be a good candidate for a RequestFilter (or could be incorporated into the existing WAProtectionFilter (what WASessionProtector has become in 2.9). Anybody want to contribute code? :) Julian _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
In reply to this post by Randal L. Schwartz
2008/10/27 Randal L. Schwartz <[hidden email]>:
>>>>>> "Julian" == Julian Fitzell <[hidden email]> writes: > > Julian> Unless you take action to prevent it, yes. This problem isn't unique > Julian> to Seaside, of course; any system with session keys in URLs will be > Julian> have the same problem. You can, of course, configure the session key > Julian> to be stored in cookies, which eliminates the problem. > > Of course, you trade one problem for another there. There are also strange cases of mobile users who change IPs (this affects WASessionProtector). Isn't there a Max Payne quote along the lines of: if the only choice you've got is to do the wrong thing, then it's not really the *wrong* thing, is it? Cheers Philippe _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
In reply to this post by Julian Fitzell-2
>>>>> "Julian" == Julian Fitzell <[hidden email]> writes:
>> Of course, you trade one problem for another there. If you use session >> cookies, you won't be able to have a single browser with two separate sessions >> in two separate windows, because the cookie is browser-wide. Julian> Of course. Well, if you say "of course", then the message wasn't meant for you. :-) it was meant for the other readers. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
Wouldn't filtering on IP addresses would be problematic for multi-user hosts?
-david
On Mon, Oct 27, 2008 at 11:49 AM, Randal L. Schwartz <[hidden email]> wrote:
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
On Mon, Oct 27, 2008 at 10:45 PM, David Pennell <[hidden email]> wrote:
> Wouldn't filtering on IP addresses would be problematic for multi-user > hosts? > -david Like a NAT? It certainly wouldn't be effective in that case. :) The problem is there is currently no way to check that we have the right *user*. We can check if they have the right *session token* in the URL but users pass those around. We can put the *same token* in a cookie but then you can't have multiple sessions in different tabs. We can check an IP address but that isn't entirely secure and is problematic if the user gets disconnected from their VPN or whatever and gets a new IP. We can check if they have the right *browser* by profiling the headers sent by the browser or adding another cookie. The last (which is what Randal was suggesting) is probably the most reasonable compromise in that you can leave the session key in the URL and therefore have multiple sessions open and passing the URL to somebody else doesn't give them access to the session. This (over SSL) is probably pretty secure. But you still can't decide that the site isn't working in Firefox and copy and paste the link over to IE. Without some way to actually confirm the identity of the user behind the keyboard, of course, we have no choice but to make a compromise somewhere. Julian _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
>>>>> "Julian" == Julian Fitzell <[hidden email]> writes:
Julian> We can check an IP address but that isn't entirely secure and is Julian> problematic if the user gets disconnected from their VPN or whatever Julian> and gets a new IP. Or worse... the canonical example being the walled-garden AOL users who got a different proxy IP address for every connection *within a single page hit*. As in, main page 1.2.3.4... first image 1.2.3.5... second image 1.2.3.6... form posted via 1.2.3.22. I always pull that gem out whenever people mumble "session... IP authentication". It Won't Work. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
In reply to this post by Julian Fitzell-2
Using HTTP Auth solves this problem quite nicely. The user/password combination is sent with every browser request, so if it's not there you know it's not your original user. rado _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
On Tue, Oct 28, 2008 at 7:32 AM, radoslav hodnicak <[hidden email]> wrote:
> > Using HTTP Auth solves this problem quite nicely. The user/password > combination is sent with every browser request, so if it's not there you > know it's not your original user. Except that it requires SSL for every page request to ensure the password is secure (otherwise someone can hijack not just your session but your whole account). It also isn't any better than the extra cookie solution (cookies are also sent on every request) in that it doesn't actually identify the *user* at the end of the connection; only the *browser*. If the user has walked away, we won't know. And if the user has changed browsers, it won't work. As an aside, this why you should ask for a user's password again (even if they are in an authenticated session) before making changes to their account. The session is only identifying (at best) the browser and could be used by someone who sniffed the (non-SSL-encrypted) session keys and cookies or at a computer after the legitimate user walked away. Any privileges granted to a session are as vulnerable as the session so, if you don't make changing email addresses and passwords and so on require a password, you are leaving yourself open for session-hijackings to escalate into account-hijackings. Julian _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
In reply to this post by radoslav hodnicak
On Oct 28, 2008, at 2:32 AM, radoslav hodnicak wrote: > Using HTTP Auth solves this problem quite nicely. The user/password > combination is sent with every browser request, so if it's not there > you know it's not your original user. hmmm... this sounds like it might be a plan.. but the only thing that i worry about is that the recipient of the link will just be presented with an auth screen.. which is not good.. is there any way to serve up a generic page in the case that http auth fails? ___ peace, sergio photographer, journalist, visionary www.village-buzz.com _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
> is there any way to serve up a generic page in the case that http auth
> fails? Yes, you don't respond with a 401 (authentication failed) but with a normal response that shows a nice message. However for the basic-authentication login itself you need to present the auth-screen to the user sometime. I don't know of another way to set it. Cheers, Lukas -- Lukas Renggli http://www.lukas-renggli.ch _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
In reply to this post by Julian Fitzell-2
On Oct 27, 2008, at 5:15 PM, Julian Fitzell wrote: > The last (which is what Randal was suggesting) is probably the most > reasonable compromise in that you can leave the session key in the URL > and therefore have multiple sessions open and passing the URL to > somebody else doesn't give them access to the session. This (over SSL) > is probably pretty secure. But you still can't decide that the site > isn't working in Firefox and copy and paste the link over to IE. > > Without some way to actually confirm the identity of the user behind > the keyboard, of course, we have no choice but to make a compromise > somewhere. Forgive me if I am ignorantly suggesting something that won't work in Seaside, but I would try this: 1) Keep a token identifying the user in a cookie. 2) Leave the session info in the url. Since the session is still in the url, you can still have multiple sessions in the same browser. And since the user token is in a cookie, I can paste the URL into any browser where I've already authenticated. David _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
On Tue, Oct 28, 2008 at 5:37 PM, David Farber <[hidden email]> wrote:
> > On Oct 27, 2008, at 5:15 PM, Julian Fitzell wrote: > >> The last (which is what Randal was suggesting) is probably the most >> reasonable compromise in that you can leave the session key in the URL >> and therefore have multiple sessions open and passing the URL to >> somebody else doesn't give them access to the session. This (over SSL) >> is probably pretty secure. But you still can't decide that the site >> isn't working in Firefox and copy and paste the link over to IE. >> >> Without some way to actually confirm the identity of the user behind >> the keyboard, of course, we have no choice but to make a compromise >> somewhere. > > Forgive me if I am ignorantly suggesting something that won't work in > Seaside, but I would try this: > > 1) Keep a token identifying the user in a cookie. > 2) Leave the session info in the url. > > Since the session is still in the url, you can still have multiple sessions > in the same browser. And since the user token is in a cookie, I can paste > the URL into any browser where I've already authenticated. Well that's basically what Randal was suggesting and is, I think, the best we can do currently. It still only identifies the browser, though: if a user walks away from the browser or someone sniffs the cookie value, we have no way of knowing that it isn't the same user anymore. Always using the same key for a particular user does have the nice property that they can move sessions between browsers but at the additional risk that you now want that cookie to persist for a much longer period of time which is bad if the token does get captured. Julian _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
On Tue, Oct 28, 2008 at 12:59 PM, Julian Fitzell <[hidden email]> wrote:
> On Tue, Oct 28, 2008 at 5:37 PM, David Farber <[hidden email]> wrote: >> >> On Oct 27, 2008, at 5:15 PM, Julian Fitzell wrote: >> >>> The last (which is what Randal was suggesting) is probably the most >>> reasonable compromise in that you can leave the session key in the URL >>> and therefore have multiple sessions open and passing the URL to >>> somebody else doesn't give them access to the session. This (over SSL) >>> is probably pretty secure. But you still can't decide that the site >>> isn't working in Firefox and copy and paste the link over to IE. >>> >>> Without some way to actually confirm the identity of the user behind >>> the keyboard, of course, we have no choice but to make a compromise >>> somewhere. >> >> Forgive me if I am ignorantly suggesting something that won't work in >> Seaside, but I would try this: >> >> 1) Keep a token identifying the user in a cookie. >> 2) Leave the session info in the url. >> >> Since the session is still in the url, you can still have multiple sessions >> in the same browser. And since the user token is in a cookie, I can paste >> the URL into any browser where I've already authenticated. > > Well that's basically what Randal was suggesting and is, I think, the > best we can do currently. It still only identifies the browser, > though: if a user walks away from the browser or someone sniffs the > cookie value, we have no way of knowing that it isn't the same user > anymore. Always using the same key for a particular user does have the > nice property that they can move sessions between browsers but at the > additional risk that you now want that cookie to persist for a much > longer period of time which is bad if the token does get captured. > working with other web apps right now. That said, I have experience developing this type of system. The fact that the session identifier is not in a cookie doesn't really matter here. You need two cookies anyway. One for user identity and one for session identity. This way you can timeout a session, for example and require reauthentication, or require reauthentication for certain actions, such as amazon.com. Of course the exact details depend on your application. You could combine the user identity token with session checking to timeout a session, or require re-authentication after a certain time period. Obviously those settings depend on the exact security requirements of your application. I'd suggest using a hashed value in the identity cookie and to vary the cookies value randomly. Of course this again depends on the exact security requirements of your application, but in general it's a good idea. Dave > Julian > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > -- Dave Bauer [hidden email] http://www.solutiongrove.com _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
How about something like AES encrypting the session id in the URI, and
storing the AES key in the cookie? Dave Bauer wrote: > On Tue, Oct 28, 2008 at 12:59 PM, Julian Fitzell <[hidden email]> wrote: > >> On Tue, Oct 28, 2008 at 5:37 PM, David Farber <[hidden email]> wrote: >> >>> On Oct 27, 2008, at 5:15 PM, Julian Fitzell wrote: >>> >>> >>>> The last (which is what Randal was suggesting) is probably the most >>>> reasonable compromise in that you can leave the session key in the URL >>>> and therefore have multiple sessions open and passing the URL to >>>> somebody else doesn't give them access to the session. This (over SSL) >>>> is probably pretty secure. But you still can't decide that the site >>>> isn't working in Firefox and copy and paste the link over to IE. >>>> >>>> Without some way to actually confirm the identity of the user behind >>>> the keyboard, of course, we have no choice but to make a compromise >>>> somewhere. >>>> >>> Forgive me if I am ignorantly suggesting something that won't work in >>> Seaside, but I would try this: >>> >>> 1) Keep a token identifying the user in a cookie. >>> 2) Leave the session info in the url. >>> >>> Since the session is still in the url, you can still have multiple sessions >>> in the same browser. And since the user token is in a cookie, I can paste >>> the URL into any browser where I've already authenticated. >>> >> Well that's basically what Randal was suggesting and is, I think, the >> best we can do currently. It still only identifies the browser, >> though: if a user walks away from the browser or someone sniffs the >> cookie value, we have no way of knowing that it isn't the same user >> anymore. Always using the same key for a particular user does have the >> nice property that they can move sessions between browsers but at the >> additional risk that you now want that cookie to persist for a much >> longer period of time which is bad if the token does get captured. >> >> > Hi, I have been lurking for a long time, interested in seaside, but > working with other web apps right now. That said, I have experience > developing this type of system. The fact that the session identifier > is not in a cookie doesn't really matter here. You need two cookies > anyway. One for user identity and one for session identity. This way > you can timeout a session, for example and require reauthentication, > or require reauthentication for certain actions, such as amazon.com. > Of course the exact details depend on your application. > > You could combine the user identity token with session checking to > timeout a session, or require re-authentication after a certain time > period. Obviously those settings depend on the exact security > requirements of your application. I'd suggest using a hashed value in > the identity cookie and to vary the cookies value randomly. Of course > this again depends on the exact security requirements of your > application, but in general it's a good idea. > > Dave > > >> Julian >> _______________________________________________ >> seaside mailing list >> [hidden email] >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside >> >> > > > > ****************************************************************************************************************************************** This email is from Pinesoft Limited. Its contents are confidential to the intended recipient(s) at the email address(es) to which it has been addressed. It may not be disclosed to or used by anyone other than the addressee(s), nor may it be copied in anyway. If received in error, please contact the sender, then delete it from your system. Although this email and attachments are believed to be free of virus, or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by Pinesoft for any loss or damage arising in any way from receipt or use thereof. ******************************************************************************************************************************************* Pinesoft Limited are registered in England, Registered number: 2914825. Registered office: 266-268 High Street, Waltham Cross, Herts, EN8 7EA _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
In reply to this post by Dave Bauer-3
>>>>> "Dave" == Dave Bauer <[hidden email]> writes:
Dave> Hi, I have been lurking for a long time, interested in seaside, but Dave> working with other web apps right now. That said, I have experience Dave> developing this type of system. The fact that the session identifier Dave> is not in a cookie doesn't really matter here. You need two cookies Dave> anyway. One for user identity and one for session identity. This way Dave> you can timeout a session, for example and require reauthentication, Dave> or require reauthentication for certain actions, such as amazon.com. Dave> Of course the exact details depend on your application. No, you don't need two cookies --- you need only one cookie, as I demonstrated my magazine article (http://www.stonehenge.com/merlyn/WebTechniques/col61.html). You can't count on a cookie going away as a means of timing out of session, since the browser can do whatever it wants and client-side software can lie. So really, all you need to do is distinguish this browser from all other browsers, and then use server-side state to manage what that actually means. Fortunately, in Seaside, we have an easy place to put server-side data, and time it out. Much easier than when I was doing this with Perl. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
On Tue, Oct 28, 2008 at 1:32 PM, Randal L. Schwartz
<[hidden email]> wrote: >>>>>> "Dave" == Dave Bauer <[hidden email]> writes: > > Dave> Hi, I have been lurking for a long time, interested in seaside, but > Dave> working with other web apps right now. That said, I have experience > Dave> developing this type of system. The fact that the session identifier > Dave> is not in a cookie doesn't really matter here. You need two cookies > Dave> anyway. One for user identity and one for session identity. This way > Dave> you can timeout a session, for example and require reauthentication, > Dave> or require reauthentication for certain actions, such as amazon.com. > Dave> Of course the exact details depend on your application. > > No, you don't need two cookies --- you need only one cookie, as I demonstrated > my magazine article > (http://www.stonehenge.com/merlyn/WebTechniques/col61.html). You can't count > on a cookie going away as a means of timing out of session, since the browser > can do whatever it wants and client-side software can lie. So really, all you > need to do is distinguish this browser from all other browsers, and then use > server-side state to manage what that actually means. Fortunately, in Seaside, > we have an easy place to put server-side data, and time it out. Much easier > than when I was doing this with Perl. > identifier in the URL. Otherwise you would need two cookies. They are similar solutions. Since Seaside has session_id in the URL you don't use a session cookie. Dave > -- > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 > <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> > Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. > See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion > -- Dave Bauer [hidden email] http://www.solutiongrove.com _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: sharing sessions through links..
|
|
>>>>> "Dave" == Dave Bauer <[hidden email]> writes:
Dave> Yes you are right! You only need one cookie if you put the session Dave> identifier in the URL. Otherwise you would need two cookies. They are Dave> similar solutions. Since Seaside has session_id in the URL you don't Dave> use a session cookie. Please read the article. I am talking about using a branded browser (a unique cookie for each browser) as a way of doing a session. In this case, there would be no session as part of the URL, but it suffers from not having two tabs having separate sessions. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
«
Return to Seaside General
|
1 view|%1 views
| Free forum by Nabble | Edit this page |