From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Mike Gerwitz Newsgroups: gmane.lisp.guile.user Subject: Re: mailmam, web bridge, forum, p2p Date: Sun, 27 Oct 2019 00:50:17 -0400 Message-ID: <87zhhmssfq.fsf@gnu.org> References: <20191023064813.6igo2qi2cwtcz5bz@pelzflorian.localdomain> <20191023113724.bf055453852ec206af8d7bef@gmail.com> <20191023112544.5s65wrzbexnlsj22@pelzflorian.localdomain> <20191023123343.wanooc44orpyo7tk@pelzflorian.localdomain> <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain> <87a79peh8n.fsf@gnu.org> <20191026074837.GD15076@tuxteam.de> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="202880"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Cc: guile-user@gnu.org To: Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Sun Oct 27 05:51:57 2019 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iOaWy-000qf5-QD for guile-user@m.gmane.org; Sun, 27 Oct 2019 05:51:56 +0100 Original-Received: from localhost ([::1]:44058 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iOaWx-0004rs-LT for guile-user@m.gmane.org; Sun, 27 Oct 2019 00:51:55 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57488) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iOaVv-0003YQ-LD for guile-user@gnu.org; Sun, 27 Oct 2019 00:50:53 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:51532) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iOaVv-0005HB-AZ; Sun, 27 Oct 2019 00:50:51 -0400 Original-Received: from localhost ([::1]:48302 helo=mikegerwitz-pc.gerwitz.local) by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1iOaVu-00054a-04; Sun, 27 Oct 2019 00:50:50 -0400 In-Reply-To: <20191026074837.GD15076@tuxteam.de> (tomas@tuxteam.de's message of "Sat, 26 Oct 2019 09:48:37 +0200") OpenPGP: id=D6E9B930028A6C38F43B2388FEF635745E6F6D05 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:15859 Archived-At: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable To make sure I see replies, please include me in the recipient list (not just the mailing list). I missed this at first. On Sat, Oct 26, 2019 at 09:48:37 +0200, tomas@tuxteam.de wrote: >> Passing session tokens via GET requests is a bad idea, because that >> leaks the token. > > Even in https? Transport is only part of the problem. Query parameters are also leaked to webserver access logs; they can leak to 3rd party logs via the referrer header (I sometimes see sensitive data in my webserver logs from other domains); they're retained in browser history and written to disk; may show up in proxy logs (e.g. when passing through load balancers); could be easily pasted unwittingly to third parties (e.g. a user sharing a link with someone else); etc. Back in what feels like a previous lifetime by now, I used to do a lot of work with phpBB2, which had an option to either store sessions in cookies or place PHPSESSID in the URL. It modified every link to include a session id. It tried to mitigate the issue by checking the source IP address, but if you were logged on the same network (e.g. in the same place of employment; school; library; etc), then sharing a link would lead to session hijacking. Such link rewriting schemes also cause other types of problems. For example, you may be able to cache most of the generated HTML (except for e.g. the header) regardless of what user is logged in. But if you have to inject tokens into all links, that type of caching isn't useful. =2D-=20 Mike Gerwitz --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJdtSIJAAoJEIyRe39dxRuiMTsP/0OqTJJmTzEMbn89RpG4MjlP s9Zj3/KQBpjEOD9ddOr2LuU91ph4fuGCgaNh3+mLQ53S9fb3a6a/n2ynBwoUkqMz /GZJ1mbp+ZVa/YADLoOoR/WG56NPB/luEKmkU3PhT8nLiUedySPOXg+l296cLhFv 33hIvHI+S4Xs9UQEPPNc3FqNgYNQM2fVxSzVyJP5bY1V5dMc1HQyxYUbhiWaKaX3 7xCuO934F6vtI6WBfUldzs9upTHGa7BK0+NZsbKQh8dcquiagSCiPEb3lVxDVbvv 4T5IyRDUQP6Xsz/N2RZgBRvTXSNzSJesExv4OyCCw04AujrSnOAmIsGZ5lZl7Iu6 EByPqx6xnyr136xrKOdFOSdgDjLMj92y0t+Nd/3nttSTtux6Fewq03L2EBoaTsTo A6HDlTbQGAaogxp2GWeRrWRT95+8e0CFvbWRhazp42FqrQHEkUy0fuOYRYUf4egJ 5nRv2kVMChoOPMWKGGMcSZ8biy18jXawOPA+kWHRRSmLVOEkcu5XOC5xxnsHLPuB FjuKlPHbj4MvkBf+MVDk+u9N8yiqBhsJY4w8dFrQm5OnSD/uZe3u2F4eNKvXkur+ 2HAJwtXtchl4Py7s+PBWvh+Yhdenx8SNhu5XznmoY6R5xYkSUpg5eO6T5f49PAm0 jlgtvTcSV7QYCdLXz8ZK =8SEW -----END PGP SIGNATURE----- --=-=-=--