[hunchentoot-devel] Sessions not secure?

Sohail Somani sohail at taggedtype.net
Sun Dec 23 22:22:22 UTC 2007


On Sun, 23 Dec 2007 23:04:20 +0100, Edi Weitz wrote:

[snip]
> 
> The explanation of the details of the session mechanism, specifically
> *USE-REMOTE-ADDR-FOR-SESSIONS* and *USE-USER-AGENT-FOR-SESSIONS*.
> 
[snip]

> To hijack a session someone has to get at the session ID.  That's not
> Hunchentoot's problem, but if you (see above) already start with https,
> that's certainly a good thing.  The question is what you can do with a
> foreign session ID once you have it.  How long does it last? Will it
> work with different browsers and/or from different IPs?  And so on.
> 
> Hunchentoot tries to provide a couple of options, but eventually you
> will have to make a decision.

Ok, thank you for your clarifications. I went through the source and 
noticed that the session id's are generated sequentially. So one other 
way that sessions can be hijacked is by guessing the session ID. Of 
course, this is if you do not use the IP address and user agent options 
that you mentioned above. Otherwise, even if you use SSL, your session 
can be hijacked.

Hypothetically speaking, if I wanted to prevent hijacking by guessing, I 
could just redefine hunchentoot:get-next-session-id.

Does this sound correct? 

Btw, great set of libraries. I don't know how you do it. My theory is 
that you are really three people.

-- 
Sohail Somani
http://uint32t.blogspot.com




More information about the Tbnl-devel mailing list