[plt-scheme] Introducing... Stuffers

From: Henk Boom (henk at henk.ca)
Date: Fri Feb 6 20:15:40 EST 2009

2009/2/6 Raoul Duke <raould at gmail.com>:
>> I've been meaning to ask this for a while, but what are the security
>> consequences with storing the continuation on the (untrusted) client's
>> computer?
> hm, mr no security expert here, but i'd guess it would be very similar
> to whatever the deal is with cookies.
> i mean, you can encrypt the continuation so the client most likely
> can't read it, but they could still transfer it to a different machine
> or replay it a lot or whatever, so your server would have to deal with
> that.

Cookies are usually used to uniquely identify the user, so that the
right session can be loaded by the server, whereas in this case the
continuation itself is on the client's machine. I was thinking more
along the lines of people modifying their continuations to make the
server execute different code. I'm asking because I don't know enough
about how the continuations are serialized to know what the dangers
are, and as far as I can see the documentation makes no mention of
security considerations.


Posted on the users mailing list.