[plt-scheme] Looking for a security consultant with PLT web server experience

From: Neil Van Dyke (neil at neilvandyke.org)
Date: Mon Oct 5 06:25:41 EDT 2009

Dave Gurnell wrote at 10/05/2009 04:37 AM:
> I've been thinking about this one recently. I'm no expert in TCP/IP - 
> is IP checking something that's reliable enough to be built into the 
> web server (say, into the LRU)? You say it's not a solid security 
> option, but I'm guessing it only ever produces false positives. If it 
> doesn't produce false negatives, could it be built right in without 
> fear of locking users out of their own continuations?

Some wireless technologies and setups might give false negatives right 
now.  I think we cannot assume the IP address will remain the same 
between requests that constitute a session, or we won't work with some 
perfectly legitimate HTTP networking, now and in the future.

(Some banks might check the IP address, but the same banks are doing 
snake-oil things and even making a big PR deal about authentication 
methods that they've been quietly told don't actually work.  And they're 
very much, "We don't care.  We don't have to.  We're the phone company.")

> I only currently know about the stateful model, in which a 
> continuation is associated with three numbers embedded into the URL:

Yes, I would try to take session information out of the URL.  Offhand, 
I'm not sure the best way to do this for all browsers while preserving 
all back button behavior that one might preserve with URLs, so there 
would be experiments and possible tradeoffs or mitigating measures.

> One nice thing about the web server architecture is that all of these 
> issues can be addressed (if they need to be addressed) by writing and 
> plugging in a custom continuation manager. The Untypers have dabbled 
> with the LRU manager a few times, implementing things like extra 
> logging and some application specific continuation management. These 
> security-related features seem like other natural extensions.
> It'd be good to collaborate on something like this as and release it 
> as a PLaneT package.

Seems like PLT has been putting a lot of energy into the Web server and 
servlets in the last year or two.  I'd first find out whether this is 
something they want to look into right now.  (Just yesterday, I found 
that Ryan Culpepper had scooped me on macro keyword support, after I'd 
recently slaved over a hot syntax-rules to do the same thing. :)  In any 
case, I would try to make sure I understood PLT's rationale for 
everything upfront, to save a lot of energy.

I'd be happy to kibitz on this, and am especially curious about a model 
for session vs. session-independent URLs, but unfortunately I can't 
volunteer coding work right now.


Posted on the users mailing list.