[Haskell-cafe] ANN: Nomyx 0.1 beta, the game where you can change the rules

Chris Wong chrisyco+haskell-cafe at gmail.com
Fri Mar 1 05:17:32 CET 2013 

On Thu, Feb 28, 2013 at 1:26 PM, Brandon Allbery <allbery.b at gmail.com> wrote:
> On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont <corentin.dupont at gmail.com>
> wrote:
>> Hi Chris,
>> Thanks!
>> That's true for the user number. What should I do? Encrypt it?
>
> It's not that you have a user number, or even that it's accessible: it's
> that it's the entirety of access control, meaning that if the user changes
> it they can masquerade as another user. The correct solution is that a user
> should authenticate, which creates a session hash that you stash away and
> also send back to the user as a cookie so the browser will present it on
> accesses. Then you check that the presented hash is there and matches the
> session hash. These should expire periodically, requiring the user to log
> back in again.

Brandon pretty much pulled the words out of my mouth, but I have one
last thing to add: no matter how well you encrypt the information, as
long as it's in the URL it's insecure.

Hypothetical situation #1: if there's someone looking over your
shoulder, they can just note down the address -- it is in plain view,
after all.

Even more likely: your friend wants to watch the game, so you send her
the link. Unfortunately, you forget to delete your session information
from the URL. Now your friend (conveniently named Eve) has hijacked
your account and is voting on your behalf.

The Ruby on Rails website has an excellent explanation of common
security holes [1]. The article is Rails-centric, but most of it
applies to Haskell as well.

[1] http://guides.rubyonrails.org/security.html

As for libraries, Happstack has happstack-authenticate [2]. I haven't
used it myself, but it looks good.

[2] http://hackage.haskell.org/package/happstack-authenticate

Chris

> --
> brandon s allbery kf8nh                               sine nomine associates
> allbery.b at gmail.com                                  ballbery at sinenomine.net
> unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net

More information about the Haskell-Cafe mailing list