Webware for Python

I use "sequence numbers" to avoid the problem. It's
basically a similar solution to the "secrets"
mentioned in the article. An increasing integer number
is send back to client with every request. The client
must put it back to the server with each new request.
It has the added advantage (that was really my primary
intention) that it can be used with other usefull
purposes (for example, forbidding reloading of
"critical" pages by just checking the sequence number
has/has not already been used). An external attacker
has no piece idea what the next sequence number must
be so Session Riding is not possible (At least that's
what I think).

 I don't know how this mechanism or something similar
could be added in a general way to the Webware
framework, but it would be great if brighter brain
that mine could get it done.

 Regards!

 Enrique


 --- Frank Barknecht <fbar@...> escribió: 
> Hi,
> 
> maybe you have already seen this one some news
> sites, but this
> document on "Session Riding" [1] IMO discusses a
> very important
> security issue with web based applications like you
> all probably
> develop with Webware, too, and it shines new light
> on the Cookie vs.
> URL-session debate. Essential reading!
> 
> [1]
> http://www.securenet.de/papers/Session_Riding.pdf
> 
> Ciao
> -- 
>  Frank Barknecht                               _
> ______footils.org__
> 
> 
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Webware-discuss mailing list
> Webware-discuss@...
>
https://lists.sourceforge.net/lists/listinfo/webware-discuss
>

Enrique Ariz=F3n wrote:

> I use "sequence numbers" to avoid the problem. It's
> basically a similar solution to the "secrets"
> mentioned in the article. An increasing integer number
> is send back to client with every request. The client
> must put it back to the server with each new request.
> It has the added advantage (that was really my primary
> intention) that it can be used with other usefull
> purposes (for example, forbidding reloading of
> "critical" pages by just checking the sequence number
> has/has not already been used). An external attacker
> has no piece idea what the next sequence number must
> be so Session Riding is not possible (At least that's
> what I think).

I assume you attach this number to the urls in the final HTML response?
Passing it back as cookie is useless, AFAIS.

>  I don't know how this mechanism or something similar
> could be added in a general way to the Webware
> framework, but it would be great if brighter brain
> that mine could get it done.

> I assume you attach this number to the urls in the
> final HTML response?
> Passing it back as cookie is useless, AFAIS.
> 

 Of course, I send it back and for embedded in the
form as a hidden input field, so I can't imagine a
general way to use it in Webware (or any other
framework)

 Regards!

Enrique Ariz=F3n wrote:

>  Of course, I send it back and for embedded in the
> form as a hidden input field, so I can't imagine a
> general way to use it in Webware (or any other
> framework)

Yeah.

Though, if this scheme is used in HTML forms only and application use=20
some form-management tool like FormKit or FunFormKit, it's quite=20
possible to embed this logic there. In fact, it's natural place to put=20
it and I won't be surprised if some of these modules already provide=20
this feature.

Comments, anyone?