@Massimo Of course 1) still stands and session cookies can be stolen. Which means that an attacker who steals a session cookie can sign in while the legitimate user is also signed in. This can be preventing by forcing ssh.
ssh? 2013/11/30 samuel bonill <[email protected]> > thanks Massimo.... > > > 2013/11/29 Massimo Di Pierro <[email protected]> > >> If I understand this post there are two issue (in RoR) which conspire to >> create the problem: >> 1) session cookies can be stolen >> 2) session cookies remain valid after logout. >> >> The attack does not apply to web2py because 2) does not apply. >> Web2py since 2.7.x reissues session cookies when users sign in. That >> means that an attacker who steals a session cookie after the legitimate >> user signs out, cannot use it sign in. >> >> Of course 1) still stands and session cookies can be stolen. Which means >> that an attacker who steals a session cookie can sign in while the >> legitimate user is also signed in. This can be preventing by forcing ssh. >> >> I think we are fine. >> >> Massimo >> >> On Friday, 29 November 2013 10:31:28 UTC-6, samuel bonill wrote: >>> >>> there are known vulnerabilities regarding session management in ruby on >>> rails and django .... how protects web2py of such attacks >>> >>> LINK: http://thehackernews.com/2013/11/thousands-of-websites- >>> based-on-ruby-on_29.html >>> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "web2py-users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/web2py/_i231zhmhRM/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
