From: Frank B. <fb...@fo...> - 2004-12-23 16:03:53
|
Hallo, Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote: > Using the latest Webware CVS as of a few minutes ago, if you use > UseAutomaticPathSessions=True with UseCookieSessions=False then the session > id is exclusively embedded in the URL and never sent in a cookie, so based > on my reading of the article, this should be safe from session riding. As I understand the article, this will indeed disable session riding attacks (It also works with older Webwares, IIR), however session ids then show up in HTTP-referer headers, which can be used to do other attackes (like XSS, cross site scripting, I think). So the most secure solution is indeed to use "URL secrets", like the incrementing id already proposed (which must not be guessable) or random secrets (like in Funcs.uniqueId(), but they lead to uglier URLs), in combination with Cookie based sessions. It might be nice to add some kind of secrets to Webkit.Page or another place in WW. Ciao -- Frank Barknecht _ ______footils.org__ |