thanks Massimo....
2013/11/29 Massimo Di Pierro <[email protected]> > If I understand this post there are two issue (in RoR) which conspire to > create the problem: > 1) session cookies can be stolen > 2) session cookies remain valid after logout. > > The attack does not apply to web2py because 2) does not apply. > Web2py since 2.7.x reissues session cookies when users sign in. That > means that an attacker who steals a session cookie after the legitimate > user signs out, cannot use it sign in. > > Of course 1) still stands and session cookies can be stolen. Which means > that an attacker who steals a session cookie can sign in while the > legitimate user is also signed in. This can be preventing by forcing ssh. > > I think we are fine. > > Massimo > > On Friday, 29 November 2013 10:31:28 UTC-6, samuel bonill wrote: >> >> there are known vulnerabilities regarding session management in ruby on >> rails and django .... how protects web2py of such attacks >> >> LINK: http://thehackernews.com/2013/11/thousands-of-websites- >> based-on-ruby-on_29.html >> > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the > Google Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/_i231zhmhRM/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
