Webware for Python

Hallo,
Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote:

> Using the latest Webware CVS as of a few minutes ago, if you use
> UseAutomaticPathSessions=True with UseCookieSessions=False then the session
> id is exclusively embedded in the URL and never sent in a cookie, so based
> on my reading of the article, this should be safe from session riding.

As I understand the article, this will indeed disable session riding
attacks (It also works with older Webwares, IIR), however session ids
then show up in HTTP-referer headers, which can be used to do other
attackes (like XSS, cross site scripting, I think). 

So the most secure solution is indeed to use "URL secrets", like the
incrementing id already proposed (which must not be guessable) or
random secrets (like in Funcs.uniqueId(), but they lead to uglier
URLs), in combination with Cookie based sessions.

It might be nice to add some kind of secrets to Webkit.Page or another
place in WW.

Ciao
-- 
 Frank Barknecht                               _ ______footils.org__

Frank Barknecht wrote:
> Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote:
> 
>> Using the latest Webware CVS as of a few minutes ago, if you use
>> UseAutomaticPathSessions=True with UseCookieSessions=False then the
>> session id is exclusively embedded in the URL and never sent in a
>> cookie, so based on my reading of the article, this should be safe
>> from session riding. 
> 
> As I understand the article, this will indeed disable session riding
> attacks (It also works with older Webwares, IIR), however session ids
> then show up in HTTP-referer headers, which can be used to do other
> attackes (like XSS, cross site scripting, I think).

Actually, it doesn't work with older Webware's because until now, the cookie
was always sent along with the path session.  I just added the
UseCookieSessions=False option yesterday.

> 
> So the most secure solution is indeed to use "URL secrets", like the
> incrementing id already proposed (which must not be guessable) or
> random secrets (like in Funcs.uniqueId(), but they lead to uglier
> URLs), in combination with Cookie based sessions.
> 
> It might be nice to add some kind of secrets to Webkit.Page or another
> place in WW.

The secret could be automatically placed in the path using a similar
mechanism to the one used for path sessions.  This wouldn't be hard to add.
I may take a crack at it sometime in January.

- Geoff

On Dec 23, 2004, at 8:10 AM, Geoffrey Talvola wrote:

> Frank Barknecht wrote:
>> Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote:
>> So the most secure solution is indeed to use "URL secrets", like the
>> incrementing id already proposed (which must not be guessable) or
>> random secrets (like in Funcs.uniqueId(), but they lead to uglier
>> URLs), in combination with Cookie based sessions.
>>
>> It might be nice to add some kind of secrets to Webkit.Page or another
>> place in WW.
>
> The secret could be automatically placed in the path using a similar
> mechanism to the one used for path sessions.  This wouldn't be hard to 
> add.
> I may take a crack at it sometime in January.

Geoff,

I found the article "Dos and Don'ts of Client Authentication on the 
Web" from MIT to be enlightening when I implemented a security model 
for the XML-RPC project I built upon Webware. Here is a link to the 
abstract on usenix.org:

	http://www.usenix.org/publications/library/proceedings/sec01/fu.html

The full text can be downloaded from that page. The Cookie Eaters page 
also has this document and several others on topic.

	http://cookies.lcs.mit.edu/

I would be interested in links for other documents on this topic, 
should anyone care to share them.

hth,

Mark Phillips
Mophilly & Associates
On the web at http://www.mophilly.com
On the phone at 619 444-9210