Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re: SessionID on a windows server (secure cookies)

by Anonymous Monk
on Jan 30, 2015 at 00:29 UTC ( #1115005=note: print w/replies, xml ) Need Help??


in reply to SessionID on a windows server

Any insights as to why this would be?

Because you wrote it that way? :D

one problem is passing/accepting sessionid through urls

the other is accepting sessionid without further checks, like "-ip_match" that ikegami mentions, that prevent https://en.wikipedia.org/wiki/Session_fixation

The simplest solution is to use secure cookies (don't really have to write much if any extra code, all the popular frameworks support it in one way or another)


Dancer2::Session::Cookie - Dancer 2 session storage in secure cookies
Plack::Middleware::Session::Cookie also does tamper evident cookies ( base64 encoded, HMAC SHA1 signed )
https://metacpan.org/module/Mojolicious::Guides::Growing#State-keeping "secure" cookie means tamper-evident/tamper-proof/tampering-obvious , Just remember that all session data gets serialized with Mojo::JSON and stored in HMAC-SHA1 signed cookies, which usually have a 4096 byte limit, depending on browser.

A better solution is to use HTTP digest authentication... but it requires a tad more work on the javascript end ... http://marcin-michalski.pl/2012/11/01/javascript-digest-authentication-restful-webservice-spring-security-javascript-ajax/

  • Comment on Re: SessionID on a windows server (secure cookies)

Replies are listed 'Best First'.
Re^2: SessionID on a windows server (secure cookies)
by mwhiting (Beadle) on Jan 30, 2015 at 15:37 UTC

    After looking up secure cookies, it would appear you have to be on a secure server to use them (and use https for calls). I wouldn't be guaranteed that I could use a secure server on the various customer sites.

    Also, I think we wouldn't want to have to move the script and associated files from the regular server to the secure one. (maybe that's not a problem, maybe you can use https from the same folder on the server as before, I'm not certain on that.)

      After looking up secure cookies, it would appear you have to be on a secure server to use them (and use https for calls).

      secure server? https? No, thats not secure cookies -- sure it enhances "secure cookies" but not a requirement

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1115005]
help
Chatterbox?
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (5)
As of 2017-12-12 01:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    What programming language do you hate the most?




















    Results (323 votes). Check out past polls.

    Notices?