Sylvain Wallez wrote:
Leszek Gawron wrote:
Sylvain Wallez wrote:
This has already been identified by Leszek Gawron. Although this is
an issue, it can only be exploited by hijacking a continuation ID
which, if
> done, also means the ability to hijack the session ID and therefore the
> associated authorizations.
not only ..
1. You login.
2. Do stuff.
3. Logout.
4. Even restart your computer.
5. Go to firefox cache - the page is there (still do not know why if I
set caching headers properly).
5. http://thehost.com/myapp/showReport.do. The page loads from cache.
The page content has a hidden input with valid continuation.
6. submit form.
7. the report is yours!
You're right, but this works only during the continuation expiration
period.
The solution for this is the continuation-per-session manager, where
a continuation ID only exists within a given session.
Would you be so kind and review my solution for this? It is not quite
finished (instrumentation and debug info is not implemented) but I am
very eager to polish it if it could be useful to anyone but me.
I'm insanely busy until next wednesday and unfortunately will not be
able to look at it before. Maybe someone else can do it in the meantime?
I also like your idea of associating the sitemap ID to the continuation
so that a given continuation can only be called in the sitemap that
created it. As the flowscript interpreter already holds this ID, that
should be pretty much straightforward.
Sylvain
How can I retrieve that ID? I could implement a test version for Carsten.
--
Leszek Gawron [EMAIL PROTECTED]
Project Manager MobileBox sp. z o.o.
+48 (61) 855 06 67 http://www.mobilebox.pl
mobile: +48 (501) 720 812 fax: +48 (61) 853 29 65
