[Haskell-cafe] ANN: Nomyx 0.1 beta, the game where you can change the rules
Ertugrul Söylemez
es at ertes.de
Fri Mar 1 13:59:38 CET 2013
Joe Quinn <headprogrammingczar at gmail.com> wrote:
> Additionally, you can change the session hash with every page hit, to
> some other totally random hash. If someone steals your session, they
> had better act on it immediately, lest you visit another page and it
> changes completely. If your session gets hijacked, you get logged
> out. When you log in again the attacker loses access.
That will likely cause trouble with concurrent connections aka
pipelining:
* Client sends request 1 with session id A.
* Server receives request 1, verifies A = A, handles the request, sets
new hash to B, sends response.
* Client sends request 2 with session id A.
* Server rejects request 2, because session id mismatch (A /= B).
* Client receives response to request 1, sets session id to B.
Don't change the session id in the middle of the session. To prevent
session hijacking you need to use SSL.
Greets,
Ertugrul
--
Not to be or to be and (not to be or to be and (not to be or to be and
(not to be or to be and ... that is the list monad.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130301/617a589a/attachment.pgp>
More information about the Haskell-Cafe
mailing list