Frank Barknecht wrote:
> Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote:
>> Using the latest Webware CVS as of a few minutes ago, if you use
>> UseAutomaticPathSessions=True with UseCookieSessions=False then the
>> session id is exclusively embedded in the URL and never sent in a
>> cookie, so based on my reading of the article, this should be safe
>> from session riding.
> As I understand the article, this will indeed disable session riding
> attacks (It also works with older Webwares, IIR), however session ids
> then show up in HTTP-referer headers, which can be used to do other
> attackes (like XSS, cross site scripting, I think).
Actually, it doesn't work with older Webware's because until now, the cookie
was always sent along with the path session. I just added the
UseCookieSessions=False option yesterday.
> So the most secure solution is indeed to use "URL secrets", like the
> incrementing id already proposed (which must not be guessable) or
> random secrets (like in Funcs.uniqueId(), but they lead to uglier
> URLs), in combination with Cookie based sessions.
> It might be nice to add some kind of secrets to Webkit.Page or another
> place in WW.
The secret could be automatically placed in the path using a similar
mechanism to the one used for path sessions. This wouldn't be hard to add.
I may take a crack at it sometime in January.