[plt-scheme] Looking for a security consultant with PLT web server experience

From: Noel Welsh (noelwelsh at gmail.com)
Date: Mon Oct 5 06:57:02 EDT 2009

On Mon, Oct 5, 2009 at 11:25 AM, Neil Van Dyke <neil at neilvandyke.org> wrote:
>> I only currently know about the stateful model, in which a continuation is
>> associated with three numbers embedded into the URL:
>
> Yes, I would try to take session information out of the URL.  Offhand, I'm
> not sure the best way to do this for all browsers while preserving all back
> button behavior that one might preserve with URLs, so there would be
> experiments and possible tradeoffs or mitigating measures.
>

Yeah, the issue here is that the URL identifies the browser window,
which is what is associated with the continuation. One could add an
additional part to the URL which combines with, say, a cookie to
identify a particular user. This way just a URL is not sufficient to
hijack a session. This doesn't allow people to, say, email URLs to one
another. Also, someone eavesdropping on the network could hijack the
session. For the former a sensible URL scheme (using dispatchers)
allows one to show the correct page in many cases. The later is an
issue faced by all web apps, and I think SSL is the appropriate
solution if it is a concern.

N.


Posted on the users mailing list.