good chemistry is complicated, and a little bit messy -LW |
|
PerlMonks |
CGI security problem:Netscape 6.X: browser session security weakness in clientby hackmare (Pilgrim) |
on Feb 04, 2002 at 12:06 UTC ( [id://143215]=perlmeditation: print w/replies, xml ) | Need Help?? |
This is not a perl problem per say, but has some profound security consequences on perl cgi scripts which use the session id to authenticate a user (such as any password-enabled page)
Subject: netscape 6.x browser wrecks session tracking framework for CGI scripts which use the session ID to identify a given user session. Here's the short of it: One of the features of NS6.X is that it has a workaround to circumvent the slow loading of the application on your desktop which keeps NS running on the background. This effectively causes NS to start on launch of the OS (or at least in windows). Here's the problem: Aas long as windows is up, even if you close NS, it remains active in the background. This means that any authentication you have performed on any sites you are using are still valid unless other authentication tokens such as inactivity are used. So what does this mean to me, the perl coder?Well, this means that as long as the machine is not rebooted, all password-protected sites the user has accessed are available to anyone who uses the machine, even if the user has shut down their browser. This means that on the script side, we can not assume that the session ID means anything anymore when parsing security tokens. let's face it, there are plenty of users out there that leave their PCs unattended for a little while. And since most machines stay on indefinitely, this means that it is reasonable to assume that we can not assume that the sessino ID is valid any more at all since it may span months. And this means that NS6.X is self-dooming to stay off the enterprise system architecture for now as this is too much of a security bug. Workaround?All I can think of as a workaround is to add time-dependent tracking to all security, and to make the time-to-live of the cookie as short as possible. Of course, both these options have always existed, What's he talking about?Whenever you authenticate (log in) into a site, a cookie is placed on your browser that it passed through automatically and is used by the server to verify tha you are not being spoofed by another machine. This simple authentication cookie is based on the session ID of your browser, or a unique string randomly generated by the browser on launch. With NS6.x, as long as your OS is up, that session ID does not change, no matter how many times you close NS. Further reading: Here's an article on session management using perl
Back to
Meditations
|
|