[hunchentoot-devel] Sessions not secure?
Sohail Somani
sohail at taggedtype.net
Sun Dec 23 22:22:22 UTC 2007
On Sun, 23 Dec 2007 23:04:20 +0100, Edi Weitz wrote:
[snip]
>
> The explanation of the details of the session mechanism, specifically
> *USE-REMOTE-ADDR-FOR-SESSIONS* and *USE-USER-AGENT-FOR-SESSIONS*.
>
[snip]
> To hijack a session someone has to get at the session ID. That's not
> Hunchentoot's problem, but if you (see above) already start with https,
> that's certainly a good thing. The question is what you can do with a
> foreign session ID once you have it. How long does it last? Will it
> work with different browsers and/or from different IPs? And so on.
>
> Hunchentoot tries to provide a couple of options, but eventually you
> will have to make a decision.
Ok, thank you for your clarifications. I went through the source and
noticed that the session id's are generated sequentially. So one other
way that sessions can be hijacked is by guessing the session ID. Of
course, this is if you do not use the IP address and user agent options
that you mentioned above. Otherwise, even if you use SSL, your session
can be hijacked.
Hypothetically speaking, if I wanted to prevent hijacking by guessing, I
could just redefine hunchentoot:get-next-session-id.
Does this sound correct?
Btw, great set of libraries. I don't know how you do it. My theory is
that you are really three people.
--
Sohail Somani
http://uint32t.blogspot.com
More information about the Tbnl-devel
mailing list