From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: tomas@tuxteam.de Newsgroups: gmane.lisp.guile.user Subject: Re: mailmam, web bridge, forum, p2p Date: Sun, 27 Oct 2019 09:50:17 +0100 Message-ID: <20191027085017.GE27935@tuxteam.de> References: <20191023112544.5s65wrzbexnlsj22@pelzflorian.localdomain> <20191023123343.wanooc44orpyo7tk@pelzflorian.localdomain> <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain> <87a79peh8n.fsf@gnu.org> <20191026074837.GD15076@tuxteam.de> <87zhhmssfq.fsf@gnu.org> <87mudmrbw9.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FN+gV9K+162wdwwF" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="251294"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mutt/1.5.21 (2010-09-15) Cc: guile-user@gnu.org To: Mike Gerwitz Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Sun Oct 27 09:51:04 2019 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iOeGO-0013Fb-9m for guile-user@m.gmane.org; Sun, 27 Oct 2019 09:51:04 +0100 Original-Received: from localhost ([::1]:44532 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iOeGN-0005WO-5i for guile-user@m.gmane.org; Sun, 27 Oct 2019 04:51:03 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:40916) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iOeFm-0005Sw-JK for guile-user@gnu.org; Sun, 27 Oct 2019 04:50:27 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iOeFl-0006Bv-DA for guile-user@gnu.org; Sun, 27 Oct 2019 04:50:26 -0400 Original-Received: from mail.tuxteam.de ([5.199.139.25]:35507) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iOeFf-0006Aj-8N; Sun, 27 Oct 2019 04:50:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tuxteam.de; s=mail; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=IyhGTuq4uL6QrgacCzKRwAwkTyM8WRbT+uqbmwV1LeI=; b=lgtdbitB9aciwMAmHWHIoz7i5YJXb8oia7trPvWeuBlsf1hLFfHjxgtb8ZG1w86jkV8ZrZLiJGwo+YTVAGM1reJdeDu2TJnKFLZIsPR3pri3NjuPjH+kF3jeso46Ae4fs6B2TbYoj4rD6oJ+q3UuxNaZpM8URXdk5b4TeWjHOL7Rx6jWb4QFmcrebY/YoC3m3hrSMxk7gS7VwWHbJWwkfQggiJlFlKC837dYHdYWyXoyrjJ6PgMtxMpuK8FhkPyAeYLNwiZiBmv8pQ3uEyUdE+Ogs5RW+m5gyJinrOVcISy5G95bpJ6+EpJwqk/WCQqyCHCxG6pb/3V6zI6SFpCgjQ==; Original-Received: from tomas by mail.tuxteam.de with local (Exim 4.80) (envelope-from ) id 1iOeFd-0000pR-G2; Sun, 27 Oct 2019 09:50:17 +0100 Content-Disposition: inline In-Reply-To: <87mudmrbw9.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 5.199.139.25 X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:15862 Archived-At: --FN+gV9K+162wdwwF Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 27, 2019 at 01:32:54AM -0400, Mike Gerwitz wrote: [...] > > Back in what feels like a previous lifetime by now, I used to do a lot > > of work with phpBB2, which had an option to either store sessions in > > cookies or place PHPSESSID in the URL. It modified every link to > > include a session id [...] > Since I was in the mindset of leaking information, I forgot to mention > another negative side-effect of including tokens as query strings: it > can turn link sharing into a weapon using session fixation. E.g. I > could create an account, send a link to you with my session token, and > you may then be logged into my account. Actually there are two scenarios: User A (say Alice) "has" the session and passes a link to B (Bob), session token included. This could be negligence, and now Bob might do something nasty with Alice's session (e.g. go into a shopping spree)... > The user may then perform an > action that may benefit the attacker (or the action could be part of the > URL). =2E..but you seem to imply that there's a reverse scenario, where Alice does something nasty to Bob? > This is sometimes used as a poor-man's SSO. :x It can also work with > POSTs: direct the user to an auto-submitting form. Yes, you could take your "session token" with you, to another computer, but this seems somewhat fragile [1]. > Cookies are better suited for storing session tokens---you cannot set > cookie values for other domains without some other type of exploit > (e.g. XSS, but your cookies best be set to HTTP-only to mitigate that). Cookies are, after all, client-side data. The browser might not allow you to do something, but you can engineer all sort of HTTP requests: that means the server has to do its own sanity checks anyway. Cheers [1] That's why I'd go for a fairly strict session expiry; perhaps (but I haven't played with it in practice!) you'd need transaction tokens instead (as those continuation based thingies use), which can be even more short-lived. Perhaps even some correlation between token and client profile (IP address, etc.). -- tom=C3=A1s --FN+gV9K+162wdwwF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAl21WkkACgkQBcgs9XrR2kav/QCeND2886ZfA24+pb01TZ0YbFoX UZMAn2oPuAXEJid15gRsL/fjG4WDllJE =7J75 -----END PGP SIGNATURE----- --FN+gV9K+162wdwwF--