Trails
 » 
Trails - Users

 « Return to Thread: Trails 1.2 & OGNL issues

Re: Trails Security unsecure ???

by Kalle Korhonen-2 :: Rate this Message:

Reply to Author | View in Thread

Obviously session ids do not change with every request; that's why they are *session* ids. The servlet spec defines cookies and url rewriting as the methods for session tracking and it doesn't declare any way to instruct the container to only use either one or the other. Containers may allow to configure it. For example, Tomcat allows you to disable cookies, but not url re-writing (http://tomcat.apache.org/tomcat-5.5-doc/config/context.html). Naturally though, you can choose to not allow sessions at all. You can disable url re-writing manually with a simple filter, but passing in the jsessionid in the request header (as in cookie) isn't considerably more secure than passing it in the url. Use https only if you want to secure all communication to your site.

Kalle


On Mon, May 26, 2008 at 10:15 AM, Tobias Marx <superoverdrive@...> wrote:
Yes, this is what I did now...but what about the automatic session-id fallback? Or is it possible to switch this off ?

Session IDs are bad - unless they change with every request....and/or are ip address related (but ips change, too).


-------- Original-Nachricht --------
> Datum: Mon, 26 May 2008 09:26:56 -0700
> Von: "Kalle Korhonen" <kalle.o.korhonen@...>
> An: users@...
> Betreff: Re: [trails-users] Trails Security unsecure ???

> Use POST to send the login form via https. These certainly are easily
> configurable but not necessarily the best defaults when you first start
> developing a web application - which is why Trails and web app frameworks
> typically have the simplest options for demonstration purposes.
>
> Kalle
>
>
> On Mon, May 26, 2008 at 7:41 AM, Tobias Marx <superoverdrive@...>
> wrote:
>
> > There are some issues about Trails Security that might maybe
> > be configurable - I hope they are.
> >
> > By default, Trails Security is quite unsecure:
> >
> > 1. Username/password on the login page are passed via GET in the URL !!!
> > 2. If Cookies are disabled, Session IDs are used - that are easily
> > hijackable....
> >
> > Is there a workaround?
> >
> > Thanks!
> >
> >
> > Tobias
> >
> > ---------------------------------------------------------------------
> > To unsubscribe from this list, please visit:
> >
> >    http://xircles.codehaus.org/manage_email
> >
> >
> >

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email



 « Return to Thread: Trails 1.2 & OGNL issues

Free embeddable forum powered by Nabble Forum Help