Yes, but the idea is using this as default, and warning about it. Any webdeveloper lazy enough to ignore 1st The instructions, 2nd the warnings is beyond any help.
A framework can't replace intelligence On Mon, May 26, 2008 at 7:53 PM, Bluebie, Jenna <[EMAIL PROTECTED]> wrote: > > On 26/05/2008, at 10:18 AM, Aníbal Rojas wrote: > >> Agreed all the previous stuff... >> >>> The reason nobody can ever spoof a session is that they can never >>> generate >>> the needed hash because they don't have the @@state_secret piece of text >>> needed to do so, hopefully! This presents a challenge for open source. We >>> really need to raise an error if anyone tries to use CookieSessions >>> without >>> setting the @state_secret to something other than nil or "". Maybe one >>> good >> >> I don't think raising a error is _required_, filling the log with a >> meaningful message / advice should be enough. >> >>> solution is to add logic to CookieSessions so that if it is run without a >>> @@state_secret supplied, it creates a file containing the state_secret, >>> filling it with totally random characters. This too is a terrible >>> security >>> risk though, as the camping app may be being run in a webserver like >>> apache >>> or lighttpd, and that state_secret file generated may be readable by the >>> web >>> server. If an attacker can simply download a file telling them the state >>> secret, it's game over. The only sensible default I could think of was >>> the >>> source code to the application itself, still problematic for open source, >>> but would allow people to build apps without specifying an @state_secret >>> and >> >> Interesting idea. >> >>> have a unique value used anyway. As they change the source code during >>> development, they would be repeatedly signed out. I couldn't figure out a >> >> I think it would be more a annoyance than a real trouble for the users. >> The Web in intrinsecally broken. >> >>> way to do this well with the current release of camping. >> >> For you idea of using the source cod (I think it could be more than >> enough) I think anotehr variations could be: >> >> - Using a directory listing of the app. >> - The value of a environment variable ( >> - The timestamp (or something derived) of the folder containing the app. >> - The path where the app is intalled >> - etc > > I don't like any of these, it has to be something a remote attacker cannot > find out the value to. Remote attacker could potentially get a directory > listing, guess the value of an environment variable, find out the timestamp > from a webserver's directory listing, and guess the path the app is > installed to. The secret HAS to be a secret, it can't be something anyone > else has any chance of guessing or finding out remotely. > >> >> >> -- >> Aníbal >> >> >>> >>> — >>> Jenna >>> >>> On 26/05/2008, at 7:45 AM, Aria Stewart wrote: >>> >>>> On Sat, 2008-05-24 at 22:43 -0500, _why wrote: >>>>> >>>>> On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote: >>>>>> >>>>>> * The cookie session is named Camping::Session and is placed in >>>>>> camping/session.rb. Maybe this should be called Camping::CookieSession >>>>>> or??? >>>>> >>>>> You know, these cookie sessions seem like they could be a problem. >>>>> A lot of sessions would contain just the hash and the user name. >>>>> So, spoof the user name and you're in, you know? >>>> >>>> Agreed, without an HMAC signature. >>>> >>>> _______________________________________________ >>>> Camping-list mailing list >>>> [email protected] >>>> http://rubyforge.org/mailman/listinfo/camping-list >>> >>> _______________________________________________ >>> Camping-list mailing list >>> [email protected] >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> _______________________________________________ >> Camping-list mailing list >> [email protected] >> http://rubyforge.org/mailman/listinfo/camping-list > > _______________________________________________ > Camping-list mailing list > [email protected] > http://rubyforge.org/mailman/listinfo/camping-list > -- Aníbal _______________________________________________ Camping-list mailing list [email protected] http://rubyforge.org/mailman/listinfo/camping-list
