| Re: sessions causing refreshing not to work [message #178332 is a reply to message #178331] |
Tue, 05 June 2012 20:05   |
Peter H. Coffin
Messages: 245
Registered: September 2010
Karma:
|
Senior Member |
|
|
On Tue, 05 Jun 2012 20:52:23 +0200, Thomas 'PointedEars' Lahn wrote:
> Peter H. Coffin wrote:
>
>> On Tue, 05 Jun 2012 06:46:28 +0200, Thomas 'PointedEars' Lahn wrote:
>>>> Set session.use_trans_sid, unset session.use_cookie, don't forget to
>>>> grab the session ID out of the $_GET array for every page load. Yes,
>>>> your URLs will be ugly, and it'll be not impossible for someone to end
>>>> up screwing things somehow with URL bookmarking or sharing.
>>>
>>> More importantly, it will be a security hole to be exploited:
>>>
>>> < https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Manage_Sessi on_ID_as_Any_Other_User_Input>
>>
>> Sorry, I refuse to think of what *should be* expected behavior
>
> It is by no means expected behavior.
Sure it is. "DO NOT TRUST THE CLIENT". Clean incoming stuff, provide for
backing out everything that the client does, etc. The same stuff we
always end up talking about as "security holes" are not discrete little
things but part of an overriding principle. Learning only the little
things and not the principle is WHY stuff becomes exploitable.
>> as a "security hole". People can manipulate cookie values almost as easily
>
> Because of that, HTTP-only cookies have been invented.
DO NOT TRUST THE CLIENT. That only *helps* mitigate third-party attacks.
It something between bupkis and squat against someone that's trying to
hijack a session and has access to anything more than a javascript jail.
>> and they're no more trustworthy than a $_GET result.
>
> Correct, but by contrast they are not stored unencrypted in the user's
> history, cannot be accidentally transmitted, and so on.
If the site's properly policing client input, all of those things are
dealt with, from the site's perspective. From the user's perspective,
the same hazards exist with cookies, http-only or otherwise, or are
"secured" by only by preventing exactly the kind of behavior that the
OP is hoping to enable: separating the session from the one-to-one
relationship with the browser/OS-user combination to something else.
>> This doesn't even bear discussing separately, and doing so only ends up
>> further complicating an issue that enough people have trouble learning
>> into their bones in the first place.
>
> You are wrong.
Heh. Succinct, but about as useful as "You are a doody-head".
--
29. I will dress in bright and cheery colors, and so throw my enemies
into confusion.
--Peter Anspach's list of things to do as an Evil Overlord
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]