[hunchentoot-devel] Sessions not secure?

Sohail Somani sohail at taggedtype.net
Sun Dec 23 21:36:43 UTC 2007


Hi,

In the documentation for Hunchentoot it says that start-session either 
uses a cookie or url rewriting to maintain the session state. Then it 
goes on to say:

Hunchentoot makes some reasonable effort to prevent eavesdroppers from 
hijacking sessions (see below), but this should not be considered really 
secure. Don't store sensitive data in sessions and rely solely on the 
session mechanism as a safeguard against malicious users who want to get 
at this data! 

What is it referring to when it says "see below?" If we assume malicious 
users can get at the data, is this different from session hijacking?

I am assuming (maybe incorrectly) that the following sequence is as 
secure as the user name and password.

 * User connects via https (no session exists)
 * Since no session exists, user is redirected to some login page
 * User enters user name and password and submits form
 * This information is authenticated and a session is created 
  * (setf hunchentoot:*session* (start-session))
 * On subsequent requests, since the user has a session, we can 
   assume they are authenticated.:
  * (unless hunchentoot:*session*
      (redirect-to-login-page))

I guess it all hinges on start-session and how it generates the session 
id's.

Thanks.

-- 
Sohail Somani
http://uint32t.blogspot.com




More information about the Tbnl-devel mailing list