Frank Barknecht wrote: > Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote: > >> Using the latest Webware CVS as of a few minutes ago, if you use >> UseAutomaticPathSessions=True with UseCookieSessions=False then the >> session id is exclusively embedded in the URL and never sent in a >> cookie, so based on my reading of the article, this should be safe >> from session riding. > > As I understand the article, this will indeed disable session riding > attacks (It also works with older Webwares, IIR), however session ids > then show up in HTTP-referer headers, which can be used to do other > attackes (like XSS, cross site scripting, I think).
Actually, it doesn't work with older Webware's because until now, the cookie was always sent along with the path session. I just added the UseCookieSessions=False option yesterday. > > So the most secure solution is indeed to use "URL secrets", like the > incrementing id already proposed (which must not be guessable) or > random secrets (like in Funcs.uniqueId(), but they lead to uglier > URLs), in combination with Cookie based sessions. > > It might be nice to add some kind of secrets to Webkit.Page or another > place in WW. The secret could be automatically placed in the path using a similar mechanism to the one used for path sessions. This wouldn't be hard to add. I may take a crack at it sometime in January. - Geoff ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
