From: Geoffrey T. <gta...@na...> - 2004-12-22 15:31:20
|
Frank Barknecht wrote: > Hi, > > maybe you have already seen this one some news sites, but this > document on "Session Riding" [1] IMO discusses a very important > security issue with web based applications like you all probably > develop with Webware, too, and it shines new light on the Cookie vs. > URL-session debate. Essential reading! > > [1] http://www.securenet.de/papers/Session_Riding.pdf > > Ciao Using the latest Webware CVS as of a few minutes ago, if you use UseAutomaticPathSessions=True with UseCookieSessions=False then the session id is exclusively embedded in the URL and never sent in a cookie, so based on my reading of the article, this should be safe from session riding. Other than ugly URL's, a drawback is that this method _always_ starts a new session, even if the request doesn't need a session, because right at the beginning of request processing, it issues a redirect to include a session ID in the URL, before it knows if a session is needed. I don't know how to get around that problem easily. - Geoff |