[plt-scheme] Are web-server continuations "safe"?

From: Jay McCarthy (jay.mccarthy at gmail.com)
Date: Tue Mar 4 09:50:20 EST 2008

This is what should happen.

There is no way to change the behavior that if "X" runs when you go to
URL "Y" from computer "A", then it will also happen from computer "B".
So, It is easy to hijack a user's session if you don't prepare for it.

For example, you can make the "X" that happens rely on the computer
being "A", through a cookie, for example or by requiring an HTTP
password on the url (that will be cached and transparent to a client
who has already logged in.)


btw, We consider this a feature.

On Tue, Mar 4, 2008 at 6:27 AM, Eric Biunno <01rice at gmail.com> wrote:
> In v371,
> when I connect to a servlet from one client computer and receive a
> continuation embedded into URL,
> I can then invoke this continuation from another client computer without a
> problem.
> Is this what should happen? Does the development version behave the same
> way? Is there a way to change this behavior?
>  Am I not understanding the proper use of web-server continuations?
> I feel like this makes it easy to hijack a user's session, am I wrong?
> Thanks,
> Eric
> _________________________________________________
>   For list-related administrative tasks:
>   http://list.cs.brown.edu/mailman/listinfo/plt-scheme

Jay McCarthy <jay.mccarthy at gmail.com>

Posted on the users mailing list.