From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Mike Gerwitz Newsgroups: gmane.lisp.guile.user Subject: Re: mailmam, web bridge, forum, p2p Date: Sun, 27 Oct 2019 01:32:54 -0400 Message-ID: <87mudmrbw9.fsf@gnu.org> References: <20191023064813.6igo2qi2cwtcz5bz@pelzflorian.localdomain> <20191023113724.bf055453852ec206af8d7bef@gmail.com> <20191023112544.5s65wrzbexnlsj22@pelzflorian.localdomain> <20191023123343.wanooc44orpyo7tk@pelzflorian.localdomain> <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain> <87a79peh8n.fsf@gnu.org> <20191026074837.GD15076@tuxteam.de> <87zhhmssfq.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="128361"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Cc: guile-user@gnu.org To: Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Sun Oct 27 06:33:51 2019 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iObBW-000XEF-Gx for guile-user@m.gmane.org; Sun, 27 Oct 2019 06:33:50 +0100 Original-Received: from localhost ([::1]:44128 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iObBV-000120-7U for guile-user@m.gmane.org; Sun, 27 Oct 2019 01:33:49 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:59455) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iObAu-0000vN-Gl for guile-user@gnu.org; Sun, 27 Oct 2019 01:33:13 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:51851) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iObAu-0004LM-1U; Sun, 27 Oct 2019 01:33:12 -0400 Original-Received: from localhost ([::1]:48621 helo=mikegerwitz-pc.gerwitz.local) by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1iObAt-0008Nz-I8; Sun, 27 Oct 2019 01:33:11 -0400 In-Reply-To: <87zhhmssfq.fsf@gnu.org> (Mike Gerwitz's message of "Sun, 27 Oct 2019 00:50:17 -0400") OpenPGP: id=D6E9B930028A6C38F43B2388FEF635745E6F6D05 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:15860 Archived-At: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sun, Oct 27, 2019 at 00:50:17 -0400, Mike Gerwitz wrote: > On Sat, Oct 26, 2019 at 09:48:37 +0200, tomas@tuxteam.de wrote: >>> Passing session tokens via GET requests is a bad idea, because that >>> leaks the token. >> >> Even in https? [...] > Back in what feels like a previous lifetime by now, I used to do a lot > of work with phpBB2, which had an option to either store sessions in > cookies or place PHPSESSID in the URL. It modified every link to > include a session id. It tried to mitigate the issue by checking the > source IP address, but if you were logged on the same network (e.g. in > the same place of employment; school; library; etc), then sharing a link > would lead to session hijacking. Since I was in the mindset of leaking information, I forgot to mention another negative side-effect of including tokens as query strings: it can turn link sharing into a weapon using session fixation. E.g. I could create an account, send a link to you with my session token, and you may then be logged into my account. The user may then perform an action that may benefit the attacker (or the action could be part of the URL). This is sometimes used as a poor-man's SSO. :x It can also work with POSTs: direct the user to an auto-submitting form. Cookies are better suited for storing session tokens---you cannot set cookie values for other domains without some other type of exploit (e.g. XSS, but your cookies best be set to HTTP-only to mitigate that). =2D-=20 Mike Gerwitz --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJdtSwGAAoJEIyRe39dxRuiYRoQAKc+/v8d1ZaYOfXdm0iHEe23 uhvp4FUlX8iAujcETESVO+QjqCMp3yMM4b3EhJIgcwYi0gEtKQvFSVdyGwlgeJNV X2Ogv+IZ2afwXNufcsDq/QnvVw+yENBJjm+se4cniGLkrokc7bbYgSPMXam6I4FI XDdyqCb716LDrkfwQaQPu3rQS6/fB/Dm02nupixBTIkm/XnEs0et657WToTcZNJ8 OH7FW462en1FXVcpzZ0SbyQvG0IikzGnrT/FbhBaqE1ZmDXEgHDJ4Udqy73zf9og HzKQHSj6drZ06G82CcWoAllGjdMEFR24KJyV2AkVKHnwxaJRDprs0xP3G7VYWyJP cE4SzJ3QnM6Qexr3SPbY9iY1EfPygCthuail/e9nsOGqtqQvZzuG2qTKg1g0d9+V JygAiYECtggp4Fo6e8SREDPvCsfYtARxgpNSEErZlQJ7WYh/YluSLK+/O/Fr23Yr t9d/03EqI44wDoTdSBFjzje3DdxoJgxegCAF58wPGkBBvie7449wKNUJDVOGwUSX oZ1yyPMYQMmvR/linRg1Le3c472ISfX1+eImSaRmqL4E0ThJJalu2ITq+xgl4ctt wz+lc2o2Z0rSeQuPFnJFITaUeQYpL1rXjnQDZE04Rqifp8CIlOaCxrOLVvEw6bSu NUr0z1qcZx/ZYtWI157S =CLVd -----END PGP SIGNATURE----- --=-=-=--