This is not a perl problem per say, but has some profound security consequences on perl cgi scripts which use the session id to authenticate a user (such as any password-enabled page)

Subject: netscape 6.x browser wrecks session tracking framework for CGI scripts which use the session ID to identify a given user session.

Here's the short of it:

One of the features of NS6.X is that it has a workaround to circumvent the slow loading of the application on your desktop which keeps NS running on the background. This effectively causes NS to start on launch of the OS (or at least in windows).

Here's the problem:

Aas long as windows is up, even if you close NS, it remains active in the background. This means that any authentication you have performed on any sites you are using are still valid unless other authentication tokens such as inactivity are used.

So what does this mean to me, the perl coder?

Well, this means that as long as the machine is not rebooted, all password-protected sites the user has accessed are available to anyone who uses the machine, even if the user has shut down their browser. This means that on the script side, we can not assume that the session ID means anything anymore when parsing security tokens. let's face it, there are plenty of users out there that leave their PCs unattended for a little while. And since most machines stay on indefinitely, this means that it is reasonable to assume that we can not assume that the sessino ID is valid any more at all since it may span months.

And this means that NS6.X is self-dooming to stay off the enterprise system architecture for now as this is too much of a security bug.

Workaround?

All I can think of as a workaround is to add time-dependent tracking to all security, and to make the time-to-live of the cookie as short as possible. Of course, both these options have always existed,

What's he talking about?

Whenever you authenticate (log in) into a site, a cookie is placed on your browser that it passed through automatically and is used by the server to verify tha you are not being spoofed by another machine. This simple authentication cookie is based on the session ID of your browser, or a unique string randomly generated by the browser on launch. With NS6.x, as long as your OS is up, that session ID does not change, no matter how many times you close NS.

Further reading:

Here's an article on session management using perl

In reply to CGI security problem:Netscape 6.X: browser session security weakness in client by hackmare

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.