Re: URL-Rewriting, referer and https
- From: sameergn@xxxxxxxxx
- Date: Tue, 10 Jul 2007 23:43:32 -0700
On Jul 8, 7:21 pm, Tom Hawtin <use...@xxxxxxxxxxxxxxxxx> wrote:
samee...@xxxxxxxxx wrote:
What would be a good security mechanism if we remove referer check and
still keep using URL-rewriting? I guess, cookie based sessions are
also vulnerable to session hijacking but it is more difficult to steal
cookie. (Since it is not easily visible in URL, only option is to
sniff the network, guess the cookie value, or steal it from user's
computer)
Something else to be aware of is that you don't necessarily have to
steal a session in order to do something dodgy with it. If I send you to
a malicious page with some JavaScript in it, that can POST to a third
party website that you are logged into using cookies or HTTP auth. (In a
Java Applet/WebStart application, I should only be able to GET using
AppletContext.showDocument or similar.)
JavaScript is evil.
Tom hawtin
Our server is configured currently to use only URL rewriting method,
so it does not use cookies at all. So our site works fine without
cookies.
Now, moving jsessionid to a cookie would mean that site would not work
(or some links will not work if server falls back to URL rewriting and
referer is absent during a transition from https->http) when user
disables cookies in their browser.
Do you think moving to cookie based approach is a good idea? I think
there are lots of sites out there (gmail, yahoo mail, Circuit City,
Wells Fargo, ING Direct) that do not work without cookies.
Thanks,
Sameer
.
- References:
- URL-Rewriting, referer and https
- From: sameergn
- Re: URL-Rewriting, referer and https
- From: Tom Hawtin
- URL-Rewriting, referer and https
- Prev by Date: Re: Java and avoiding software piracy?
- Next by Date: Re: Java and avoiding software piracy?
- Previous by thread: Re: URL-Rewriting, referer and https
- Next by thread: hi, i am noob in java db/ => i have some problems
- Index(es):
Relevant Pages
|
