Koen,
Again thankyou for the reply. I have to say that a lot of the concepts
and usability advantages of your framework over the traditional model
provided by a web app are really beginning to shine through to me :) I love
the idea of the one-time password as it adds a temporal element to possible
session stealing. A malicious user not only needs to identify the session
but also capture the next-password generator, the next password seed & make
use of both before the real user either moves on from there current webapp
state or there session refreshes. Substantial security against most simple
attacks!
Forgive me, i had come to assume that Extjs was the basis for the
fundamental wt client side code (hence the licence issues.) jQuery is
primarily for events and dom access though it is rather small at just 11kb!
Cheers for developing such a cracking framework,
Roj
2008/6/12 Koen Deforche <[EMAIL PROTECTED]>:
> Hey Roja,
>
> > Out of interest, how easy is it to fake a session? The reason i ask is
> that
> > i adore the simplicity of your aforementioned login from a static page
> > especially aligned to https however say a malicious user becomes aware of
> a
> > logged in user-session, how difficult would it be for the malicious user
> to
> > falsify the logged in users session? Does the framework check against ip
> for
> > verification of the session as well as cookies/url?
>
> If the hacker knows the session ID, he is in. Checking against the IP
> does not work since some users constantly switch IPs (i.e. they have
> multiple NATs?) -- we did this in early version of Wt and had to drop
> that. Because of the importance of the session ID, on platforms with
> support for secure (cryptographic or high entropy) random generators,
> we use them (this is currently the case for Linux and Win32).
>
> If you want to prevent that a hacker can eavesdrop on the session ID,
> you currently should use a secure (HTTPS) connection throughout the
> entire application.
>
> Perhaps, if there is enough interest, in the future we might support a
> system where during initialization not only a session ID but a second
> secure random token is exchanged. The latter could then be used as a
> token generating device within the browser, where for each request the
> next "one-time password" is exchanged.
>
> > In addition, i was reading about the issues with the license of the
> current
> > EXTjs solution. jQuery may offer a replacement library (skinable to look
> > identical to EXTjs.)
>
> To my understanding, jQuery provides many utility functions for
> manipulating the DOM, but almost no widgets like ExtJS (with the
> exception of a handful, all of which have native implementations in
> Wt)?
>
> Our current plan is to improve the native widgets in Wt, so that the
> added value of ExtJS becomes less over time. For example, that is why
> we added client-side validation support to our WValidator's even when
> used in conjunction with plain WFormWidgets. Next up are WTextEdit,
> WTableView, and the layout machinery.
>
> > Finally, can multiple ex apps run on the same domain without session
> issues?
> > i.e. 1) whatever.com/ 2) whatever.com/admin where the public and admin
> > webapps are entirely seperate wt instances?
>
> You mean like in the wt homepage where all examples run alongside with
> the homepage itself?
>
> Because we do not use cookies (by default) for session management, a
> single user can even start two sessions of the same application, so
> there is absolutely no cross-talk between sessions in the same domain.
> But even using cookies for session management, there would be no
> problem, as the cookie encodes the exact application path.
>
> Regards,
> koen
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> witty-interest mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>
--
Anthony Roger Buck BSc (Hons) St.A. MBCS
Department of Computer Science
MVB. Clifton, Bristol. BS8 1UB.
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest
