((( [logo]Racket )))Need Help?
AboutDownloadDocumentationPLaneTCommunityLearning

[plt-scheme] Are web-server continuations "safe"?

From: Stephen De Gabrielle (stephen at degabrielle.name)
Date: Tue Mar 4 10:14:08 EST 2008		 
Hi,

I think I have this right;

It's a feature because you can bookmark it or send the url to a friend and
share it.

> I feel like this makes it easy to hijack a user's session, am I wrong?
how you secure a session to an individual user is seperate;

- a unique url is sometimes used in low security applications. (eg google
calendar lets you create an UNindexed url for your private calendar - anyone
who has the url can see your calendar)

- cookies are a simple easy and method that is often used to maintain a
session. cookies access is granted by you browser to websites with the same
domain name;  web applications at www.google.com can 'see' only  cookies
created by web pages at www.google.com (or subdomain.www.google.com etc.)

- ssl is (or should be) used for the login phase when a greater level of
security is desired.

BTW I think you use *send/finish* for single use url's

Cheers,
Stephen


On Tue, Mar 4, 2008 at 2:50 PM, Jay McCarthy <jay.mccarthy at gmail.com> wrote:

> This is what should happen.
>
> There is no way to change the behavior that if "X" runs when you go to
> URL "Y" from computer "A", then it will also happen from computer "B".
> So, It is easy to hijack a user's session if you don't prepare for it.
>
> For example, you can make the "X" that happens rely on the computer
> being "A", through a cookie, for example or by requiring an HTTP
> password on the url (that will be cached and transparent to a client
> who has already logged in.)
>
> Jay
>
> btw, We consider this a feature.
>
> On Tue, Mar 4, 2008 at 6:27 AM, Eric Biunno <01rice at gmail.com> wrote:
> > In v371,
> > when I connect to a servlet from one client computer and receive a
> > continuation embedded into URL,
> > I can then invoke this continuation from another client computer without
> a
> > problem.
> > Is this what should happen? Does the development version behave the same
> > way? Is there a way to change this behavior?
> >  Am I not understanding the proper use of web-server continuations?
> > I feel like this makes it easy to hijack a user's session, am I wrong?
> >
> > Thanks,
> > Eric
> >
> > _________________________________________________
> >   For list-related administrative tasks:
> >   http://list.cs.brown.edu/mailman/listinfo/plt-scheme
> >
> >
>
>
>
> --
> Jay McCarthy <jay.mccarthy at gmail.com>
> http://jay.teammccarthy.org
> _________________________________________________
>  For list-related administrative tasks:
>  http://list.cs.brown.edu/mailman/listinfo/plt-scheme
>



-- 
Cheers,

Stephen

--
Stephen De Gabrielle
s.degabrielle at ucl.ac.uk
Telephone +44 (0)20 7679 5242 (x45242)
Mobile                  079 851 890 45
Project: Making Sense of Information (MaSI)
http://www.uclic.ucl.ac.uk/annb/MaSI.html

UCLIC: University College London Interaction Centre
http://www.uclic.ucl.ac.uk/

Remax House - 31/32 Alfred Place
London - WC1E 7DP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.racket-lang.org/users/archive/attachments/20080304/84e3e18c/attachment.html>
Posted on the users mailing list.