[plt-scheme] Are web-server continuations "safe"?

From: Dave Gurnell (d.j.gurnell at gmail.com)
Date: Tue Mar 4 11:13:51 EST 2008

Hi guys,

A couple of points:

First, a point about security (some of which repeats what Jay said):

Continuation URLs aren't significantly more or less secure than the  
other usual methods of identifying users. Most sites use user-specific  
strings stored in a cookie or an extra parameter on the URL, and these  
are just as sniffable and spoofable as a code for a continuation. If  
you want extra security, do the following:

   - store and check a unique identification string in a cookie on  
   - cross-reference the string against a value stored in a parameter  
or web-parameter on the server;
   - cross-reference the string against the client IP address received  
in the request;
   - forcibly expire old continuations whenever possible using send/ 
forward or send/back.

Second, a point about the (non-)bookmarkable nature of continuations:

Continuations don't last forever. You can bookmark and share a URL but  
it could expire before the recipient gets it. I only have experience  
with non-web-language servlets, but in these cases you're only looking  
at minutes to hours before a continuation expires...

- When you use the timeout continuation manager you set this time in  
stone but you might hit a hard memory limit in periods of heavy load.  
I would not recommend the timeout manager for production software.

- If you use the LRU manager your resilience to heavy traffic goes up  
but your continuation lifetime starts to vary. Usually it becomes a  
function of the amount of memory used by the system - the more people  
use the site, the quicker the site throws away continuations.

- The web language makes continuations serializable. I don't know  
enough about this option to say where the continuations get stored,  
and I don't know what automatic expiry policy the web language uses,  
but this ought to make things a lot better.

Whichever option you use I wouldn't recommend using continuations as  
bookmarkable URLs. I am about to release a simple library that will  
help create permanently bookmarkable URLs - please email me off-list  
if you're interested.


-- Dave

Posted on the users mailing list.