[hunchentoot-devel] Sessions not secure?
Sohail Somani
sohail at taggedtype.net
Sun Dec 23 21:58:53 UTC 2007
[fixing formatting, I hope]
Hi,
In the documentation for Hunchentoot it says that start-session either
uses a cookie or url rewriting to maintain the session state. Then it goes
on to say:
Hunchentoot makes some reasonable effort to prevent eavesdroppers from
hijacking sessions (see below), but this should not be considered really
secure. Don't store sensitive data in sessions and rely solely on the
session mechanism as a safeguard against malicious users who want to get
at this data!
What is it referring to when it says "see below?" If we assume malicious
users can get at the data, is this different from session hijacking?
I am assuming (maybe incorrectly) that the following sequence is as secure
as the user name and password.
- User connects via https (no session exists)
- Since no session exists, user is redirected to some login page
- User enters user name and password and submits form
- This information is authenticated and a session is created:
- (setf hunchentoot:*session* (start-session))
- On subsequent requests, since the user has a session, we can
assume they are authenticated.:
- (unless hunchentoot:*session*
(redirect-to-login-page))
I guess it all hinges on start-session and how it generates the session
id's.
Thanks.
--
Sohail Somani
http://uint32t.blogspot.com
More information about the Tbnl-devel
mailing list