[plt-scheme] Are web-server continuations "safe"?

From: Eric Biunno (01rice at gmail.com)
Date: Tue Mar 4 10:23:00 EST 2008

Thanks guys,
I see now. That is a good feature.

Eric

On Tue, Mar 4, 2008 at 10:14 AM, Stephen De Gabrielle <
stephen at degabrielle.name> wrote:

> Hi,
>
> I think I have this right;
>
> It's a feature because you can bookmark it or send the url to a friend and
> share it.
>
> > I feel like this makes it easy to hijack a user's session, am I wrong?
> how you secure a session to an individual user is seperate;
>
> - a unique url is sometimes used in low security applications. (eg google
> calendar lets you create an UNindexed url for your private calendar - anyone
> who has the url can see your calendar)
>
> - cookies are a simple easy and method that is often used to maintain a
> session. cookies access is granted by you browser to websites with the same
> domain name;  web applications at www.google.com can 'see' only  cookies
> created by web pages at www.google.com (or subdomain.www.google.com etc.)
>
> - ssl is (or should be) used for the login phase when a greater level of
> security is desired.
>
> BTW I think you use *send/finish* for single use url's
>
> Cheers,
> Stephen
>
>
>
> On Tue, Mar 4, 2008 at 2:50 PM, Jay McCarthy <jay.mccarthy at gmail.com>
> wrote:
>
> > This is what should happen.
> >
> > There is no way to change the behavior that if "X" runs when you go to
> > URL "Y" from computer "A", then it will also happen from computer "B".
> > So, It is easy to hijack a user's session if you don't prepare for it.
> >
> > For example, you can make the "X" that happens rely on the computer
> > being "A", through a cookie, for example or by requiring an HTTP
> > password on the url (that will be cached and transparent to a client
> > who has already logged in.)
> >
> > Jay
> >
> > btw, We consider this a feature.
> >
> > On Tue, Mar 4, 2008 at 6:27 AM, Eric Biunno <01rice at gmail.com> wrote:
> > > In v371,
> > > when I connect to a servlet from one client computer and receive a
> > > continuation embedded into URL,
> > > I can then invoke this continuation from another client computer
> > without a
> > > problem.
> > > Is this what should happen? Does the development version behave the
> > same
> > > way? Is there a way to change this behavior?
> > >  Am I not understanding the proper use of web-server continuations?
> > > I feel like this makes it easy to hijack a user's session, am I wrong?
> > >
> > > Thanks,
> > > Eric
> > >
> > > _________________________________________________
> > >   For list-related administrative tasks:
> > >   http://list.cs.brown.edu/mailman/listinfo/plt-scheme
> > >
> > >
> >
> >
> >
> > --
> > Jay McCarthy <jay.mccarthy at gmail.com>
> > http://jay.teammccarthy.org
> > _________________________________________________
> >  For list-related administrative tasks:
> >  http://list.cs.brown.edu/mailman/listinfo/plt-scheme
> >
>
>
>
> --
> Cheers,
>
> Stephen
>
> --
> Stephen De Gabrielle
> s.degabrielle at ucl.ac.uk
> Telephone +44 (0)20 7679 5242 (x45242)
> Mobile                  079 851 890 45
> Project: Making Sense of Information (MaSI)
> http://www.uclic.ucl.ac.uk/annb/MaSI.html
>
> UCLIC: University College London Interaction Centre
> http://www.uclic.ucl.ac.uk/
>
> Remax House - 31/32 Alfred Place
> London - WC1E 7DP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.racket-lang.org/users/archive/attachments/20080304/f0e687fd/attachment.html>

Posted on the users mailing list.