[hunchentoot-devel] Fwd: hunchentoot session hijacking
Anton Vodonosov
avodonosov at yandex.ru
Sun Oct 26 04:48:28 UTC 2008
on Friday, October 24, 2008, 1:43:18 PM Hans wrote:
> So, if you feel that this is something that needs to be addressed, can
> you provide us with a patch, either to the source code or to the
> documentation? A documentation patch could consist of a short summary
> of your security analysis and a description how the concerned user can
> make the server more secure.
Hi.
My suggestion is in the patch attached. It introduces new variable
*session-secretizer* which is supposed to be set by the concerned user
to some secret value. *session-secretizer* is used as a part of
*session-secret*. If it is not set, *session-secret* is generated as
before, but a WARN is issued.
Perhaps *session-secretizer* is a stupid name, but I was not able to
contrive anything better, taking into account that *session-secret*
is already busy.
Also attached is a small patch to cl+ssl in your repository that
makes it compilable on sbcl win32.
Best regards,
- Anton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: session-secretizer.diff
Type: application/octet-stream
Size: 3419 bytes
Desc: not available
URL: <https://mailman.common-lisp.net/pipermail/tbnl-devel/attachments/20081026/03e2a2a7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cl+ssl.diff
Type: application/octet-stream
Size: 633 bytes
Desc: not available
URL: <https://mailman.common-lisp.net/pipermail/tbnl-devel/attachments/20081026/03e2a2a7/attachment-0001.obj>
More information about the Tbnl-devel
mailing list