Hi Christopher,
On 2 Sep 2018, at 3:05, Christopher Lemmer Webber wrote:
I appreciate the goal of the continuation web server in Racket as
trying
to avoid the "inversion of control" problem which plagues much web
development. But I wonder if the default continuation web server is
very secure?
Looking at the URI generated by the continuation web server...
http://localhost:34691/servlets/standalone.rkt;(("k" . "(1 1
2810783)"))
That's the id used to retrieve the continuation, right? Presumably
this
is effectively the session of something someone is doing that's
important. This doesn't look very high entropy... I'm guessing I
could
manage to intercept someone's continuation/session. A very large
random
number would be needed to prevent this.
Another consideration here is to use HTTPS. That way, the URL is not
exposed: even if I were eavesdropping on your connection, I wouldn't
have the URL. (I *would* be able to know that you're contacting a
certain server on a particular port, but that falls short of knowing the
URL being accessed.)
Another way to get around this design problem would be to use cookies,
maybe signed if necessary (not sure it would be, since a large opaque
bearer token may be sufficient). I am not a huge fan of that design
in
some ways but it may be the best option available given the options
available within the insecurity of modern web browser design.
Cookies are a nice technique to use here. I'm not sure what signing them
would add (you want to validate the requester and not yourself, right?).
Some web frameworks allow you to set up your server so that it uses
one-time cookies, which may also allay some of your security concerns.
Jesse
--
You received this message because you are subscribed to the Google Groups "Racket
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to racket-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
