[plt-scheme] Looking for a security consultant with PLT web server experience
On Mon, Oct 5, 2009 at 4:57 AM, Noel Welsh <noelwelsh at gmail.com> wrote:
> On Mon, Oct 5, 2009 at 11:25 AM, Neil Van Dyke <neil at neilvandyke.org> wrote:
>>> I only currently know about the stateful model, in which a continuation is
>>> associated with three numbers embedded into the URL:
>>
>> Yes, I would try to take session information out of the URL. Offhand, I'm
>> not sure the best way to do this for all browsers while preserving all back
>> button behavior that one might preserve with URLs, so there would be
>> experiments and possible tradeoffs or mitigating measures.
>>
>
> Yeah, the issue here is that the URL identifies the browser window,
> which is what is associated with the continuation. One could add an
> additional part to the URL which combines with, say, a cookie to
> identify a particular user. This way just a URL is not sufficient to
> hijack a session. This doesn't allow people to, say, email URLs to one
> another. Also, someone eavesdropping on the network could hijack the
> session. For the former a sensible URL scheme (using dispatchers)
> allows one to show the correct page in many cases. The later is an
> issue faced by all web apps, and I think SSL is the appropriate
> solution if it is a concern.
This, in general, is the method I advise. However, the comment that
"This doesn't allow people to, say, email URLs to one another." is not
exactly true even when you aren't using the URL dispatcher. The
continuation will always be invoked, but if there is extra
authentication then it will perform that before doing work. When the
authentication isn't there, it doesn't need to just error; it can
request authentication and then resume the previous user's computation
if it is appropriate. (For example, if the previous continuation was
changing the password, then new authentication doesn't allow it, but
if it is looking a paper review, then the new authentication would
consult the ACL to decide if the paper review should be displayed and
maybe it can.)
Basically, the continuation can do *anything* including authentication
and resuming.
Also, re: SSL. You only read need SSL in the first step that gives the
authenticator. That will be better for performance.
Jay
--
Jay McCarthy <jay at cs.byu.edu>
Assistant Professor / Brigham Young University
http://teammccarthy.org/jay
"The glory of God is Intelligence" - D&C 93