[plt-scheme] Introducing... Stuffers

From: Raoul Duke (raould at gmail.com)
Date: Fri Feb 6 20:23:06 EST 2009


> Cookies are usually used to uniquely identify the user, so that the
> right session can be loaded by the server, whereas in this case the
> continuation itself is on the client's machine. I was thinking more
> along the lines of people modifying their continuations to make the
> server execute different code. I'm asking because I don't know enough
> about how the continuations are serialized to know what the dangers
> are, and as far as I can see the documentation makes no mention of
> security considerations.

sorry, i might be clueless or not speaking well :-}

because you can have the server encrypt the serialized continuations
before sending them to the client, you can sorta just say that
particular security issue isn't relevant. (well, it actually is,
because encryption will tend to bloat things, of course, but ignoring

which means since they can't muck with them in any productive way, you
get to issues that are the issues we have about storing anything on
the client machine, just like with cookies.

there are situations where somebody can manage to get a copy of your
cookie (via xss attack or phishing or whatever) and use that to log
into e.g. gmail w/out ever needing to enter a user name and password!
bad news!

so people could steal the continuation as well (assuming e.g. the
continuation is stored as a cookie since that is the standard
client-side storage mechanism) and then do whatever it is you were
doing --- but only if the server side is written w/out such security
concerns in mind.

sorry if i'm still misunderstanding / not making any sense :-(


Posted on the users mailing list.