Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Joshua Chamas [EMAIL PROTECTED] writes: It reoccured to me just now (back from a sessions methods discussion a long time ago) that these query string cookies might show up in the referer logs of other sites if you have offsite links on your session id pages. I tried a workaround just now where a redirect program would handle offsite links, but the HTTP_REFERER is sticky to the last page visited, and I see no workaround to this security issue. Instead of redirecting them offsite present a page saying "you're about to go offsite" and use a refresh meta tag to send them on their way. If you set the timeout on the refresh to 0 they won't even see the page and I would expect the referrer to still be set. You might even be able to use a refresh header instead of a meta tag and just use a static html page. -- greg
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
"Serge" == Serge Sozonoff [EMAIL PROTECTED] writes: Serge Hello, It will work fine, but the problem still remains that the incoming page URL has the session-id in it, so that when you go offsite, the referer header sent by the client has the client's session id in it still, and the unethical webmaster could easily then access the users sessions by looking at the referer logs. Serge There is a little article about cookie-less sessions at: Serge www.webdevelopersjournal.com/columns/stateful.html And this method requires client-side javascript enabled (mine is not, thank you), *and* frames your entire site, so bookmarking is useless. Nope, I wouldn't put it into the "useful robust" category. You're still back to: cookies (maybe disabled) hidden fields (only with form submissions) mangled URLs (all pages must be dynamic generated) auth (like BasicAuth where you "log in") And one *new* one that I pondered recently, that can be used as long as you presume HTTP/1.1... I don't have time to write it up here, but it permits: 1) bookmarking of sessions 2) no rewriting of URLs for static pages, even if they have links 3) access to session ID even by mod_cgi scripts 4) new sessions are started by a simple external redirect 5) one simplePerlTransHandler could provide the master session-start for any URL downside: you must have access to a UDP port 53 somewhere and DNS delegation I'll write up more after I've done some testing. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
sorry - you peaked my interest so I have to jump the gun a little. are you basing it on unique host names which are resolved by some type of dns delegation? if so, only problem is with SSL pages. the host name has to match the one in the certificate otherwise the browser will give a warning. in this case we would have to rely on the first HTTP_REFERER from a non SSL page, and then back to mangled URL's or hidden fields (we know we are using a form or we wouldn't need SSL). cliff rayman genwax.com "Randal L. Schwartz" wrote: "Serge" == Serge Sozonoff [EMAIL PROTECTED] writes: Serge Hello, It will work fine, but the problem still remains that the incoming page URL has the session-id in it, so that when you go offsite, the referer header sent by the client has the client's session id in it still, and the unethical webmaster could easily then access the users sessions by looking at the referer logs. Serge There is a little article about cookie-less sessions at: Serge www.webdevelopersjournal.com/columns/stateful.html And this method requires client-side javascript enabled (mine is not, thank you), *and* frames your entire site, so bookmarking is useless. Nope, I wouldn't put it into the "useful robust" category. You're still back to: cookies (maybe disabled) hidden fields (only with form submissions) mangled URLs (all pages must be dynamic generated) auth (like BasicAuth where you "log in") And one *new* one that I pondered recently, that can be used as long as you presume HTTP/1.1... I don't have time to write it up here, but it permits: 1) bookmarking of sessions 2) no rewriting of URLs for static pages, even if they have links 3) access to session ID even by mod_cgi scripts 4) new sessions are started by a simple external redirect 5) one simplePerlTransHandler could provide the master session-start for any URL downside: you must have access to a UDP port 53 somewhere and DNS delegation I'll write up more after I've done some testing. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Serge Sozonoff wrote: Hello, It will work fine, but the problem still remains that the incoming page URL has the session-id in it, so that when you go offsite, the referer header sent by the client has the client's session id in it still, and the unethical webmaster could easily then access the users sessions by looking at the referer logs. There is a little article about cookie-less sessions at: www.webdevelopersjournal.com/columns/stateful.html Anything to help get through this mess, and come up with a good solution, thanks Serge! I read the article, and found it kind of funny that the author thought that client side JavaScript was a better solution than Cookies... which do you think get turned off more by end users ? I bet its nearly equal, there are at least as many security issues involving javascript as there are with cookies, and javascript can be far more visibly intrusive. Jamie, if you want to see our previous discussion here on cookieless sessions, check out: http://www.egroups.com/MessagesPage?listName=modperlsearch=%22asp+cookieless+sessions%22 -- Joshua _ Joshua Chamas Chamas Enterprises Inc. NodeWorks free web link monitoring Huntington Beach, CA USA http://www.nodeworks.com1-714-625-4051
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Hello, It will work fine, but the problem still remains that the incoming page URL has the session-id in it, so that when you go offsite, the referer header sent by the client has the client's session id in it still, and the unethical webmaster could easily then access the users sessions by looking at the referer logs. There is a little article about cookie-less sessions at: www.webdevelopersjournal.com/columns/stateful.html Serge !--! ! Serge Sozonoff ! ! http://www.skiphotos.ch ! !--!
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
On Tue, 7 Dec 1999, Joshua Chamas wrote:
I am going to give ASP developers a session
option, it should be
possible to make secure.
Stas Bekman wrote:
But if you intercept the redirection, why not to
strip/modify the
HTTP_REFER header at the server side?
how about a call to something like
a href="%= $Server-StripSession('evil.perl.com')
%"evil perl session pirates/a
that calls something which strips the referer and
redirects.
remi
__
Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one place.
Yahoo! Shopping: http://shopping.yahoo.com
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
On Tue, 07 Dec 1999, Joshua Chamas wrote:
What options are there anyone, for real cookieless sessions,
without this security risk ??? We can't use IP authentication
because of proxies/NAT, maybe an SSL cert, but not everyone has
this, the UserAgent is not stratified enough to mean much,
so that what, when we are trying to get past cookies here.
I don't think there's a real option for making it secure. However I think
the prefix (or postfix) method used in the Eagle book is a good one. Simply
change the config to:
PerlTransHandler Apache::ASP
and in the handler go:
sub handler {
my $url_session = $r-dir_config('URLSessions');
if ($r-current_callback eq 'PerlLogHandler') {
if ($url_sessions) {
# Get session ID from URL
# store in notes or pnotes
# Remove session ID from URL
}
else {
# Get session ID from cookie
# store in notes or pnotes
}
return $r-push_handler('PerlHandler', \handler);
}
Am I missing some reason this won't work?
--
Matt/
Details: FastNet Software Ltd - XML, Perl, Databases.
Tagline: High Performance Web Solutions
Web Sites: http://come.to/fastnet http://sergeant.org
Available for Consultancy, Contracts and Training.
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Matt Sergeant wrote:
I don't think there's a real option for making it secure. However I think
the prefix (or postfix) method used in the Eagle book is a good one. Simply
change the config to:
PerlTransHandler Apache::ASP
and in the handler go:
sub handler {
my $url_session = $r-dir_config('URLSessions');
if ($r-current_callback eq 'PerlLogHandler') {
if ($url_sessions) {
# Get session ID from URL
# store in notes or pnotes
# Remove session ID from URL
}
else {
# Get session ID from cookie
# store in notes or pnotes
}
return $r-push_handler('PerlHandler', \handler);
}
Am I missing some reason this won't work?
It will work fine, but the problem still remains that the
incoming page URL has the session-id in it, so that when you go
offsite, the referer header sent by the client has the client's
session id in it still, and the unethical webmaster could easily
then access the users sessions by looking at the referer logs.
-- Joshua
_
Joshua Chamas Chamas Enterprises Inc.
NodeWorks free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com1-714-625-4051
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Secure sessions are hard work. You need to sit down and evaluate whether or not you
actually need *secure* sessions. If you decide that enough is at stake to really
tighten the screws, then read on.
The problem of the session ID in HTTP_REFERER is easy to tackle. You just need to
rewrite every URL on your secure site to be a redirect from a page that doesn't
include the session ID. For example:
http://cnn.com/
becomes
http://myhost.com/strip_session?url=http://cnn.com/
and the HTTP_REFERER at cnn.com doesn't include the session ID. Clearly the path
strip_session needs to not require a session ID.
-jwb
On 12/07/99, Joshua Chamas wrote:
Serge Sozonoff wrote:
Hi Joshua,
I was wondering if you could give us a little update on the status of
Sessions w/o cookies for Apache::ASP?
Have you started coding it already or is it at the bottom
of a big list of things to do?
Many Thanks,
Serge
I have been working with Remi Fasol on this, and what we
have so far is a set up that uses the QueryString for
keeping track of session ids, in addition to the cookie
implementation that exists.
The QueryString method represents nice backup to the existing
cookie implementation for users that have cookies turned off,
but functionally is not as nice because someone will get a
new session id when reentering the site. So if a user starts
browsing off site, and instead of hitting the back button,
just reenters your URL in the location bar, they will start a
new session. Remi commented that Amazon's sessions seem to
have the same limitations.
These cookieless sessions are implemented with a config setting
SessionQueryStringID that if set, ASP will automatically parse
out of the QueryString the session-id, and use that if there
is no such session-id cookie. Then, whatever URL's you
want the system to keep track of, the web developer uses the
$Server-URL($url, { %params })
API extension to create a URL that will have a session id
built into it. This $Server-URL() method will be nice
for just building URL's in general with or without the
cookieless sessions, as it will joing the params hash
into a nice ?query_string automatically.
It reoccured to me just now (back from a sessions
methods discussion a long time ago) that these query string
cookies might show up in the referer logs of other sites if you
have offsite links on your session id pages. I tried a workaround
just now where a redirect program would handle offsite links, but
the HTTP_REFERER is sticky to the last page visited, and I see
no workaround to this security issue.
What options are there anyone, for real cookieless sessions,
without this security risk ??? We can't use IP authentication
because of proxies/NAT, maybe an SSL cert, but not everyone has
this, the UserAgent is not stratified enough to mean much,
so that what, when we are trying to get past cookies here.
-- Joshua
_
Joshua Chamas Chamas Enterprises Inc.
NodeWorks free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com1-714-625-4051
--
Jeffrey Baker * [EMAIL PROTECTED]
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Jeffrey Baker wrote: Secure sessions are hard work. You need to sit down and evaluate whether or not you actually need *secure* sessions. If you decide that enough is at stake to really tighten the screws, then read on. The problem of the session ID in HTTP_REFERER is easy to tackle. You just need to rewrite every URL on your secure site to be a redirect from a page that doesn't include the session ID. For example: http://cnn.com/ becomes http://myhost.com/strip_session?url=http://cnn.com/ and the HTTP_REFERER at cnn.com doesn't include the session ID. Clearly the path strip_session needs to not require a session ID. -jwb Does this really work ? I tried this locally, and it didn't. The HTTP_REFERER was still sent as from the original page even though there was an intervening redirect script. This referer had the original session-id in it. So a page like: page.asp?session-id=aasdfdasfdsafadsfadsf which pointed to a redirect script for http://cnn.com like: redirect.asp?url=http://cnn.com At cnn.com, the HTTP_REFERER = page.asp?session-id=aasdfdasfdsafadsfadsf not redirect.asp?url=http://cnn.com as I would have hoped. I don't need these non-cookie secure sessions myself, but if I am going to give ASP developers a session option, it should be possible to make secure. -- Joshua _ Joshua Chamas Chamas Enterprises Inc. NodeWorks free web link monitoring Huntington Beach, CA USA http://www.nodeworks.com1-714-625-4051
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Does this really work ? I tried this locally, and it didn't.
The HTTP_REFERER was still sent as from the original page
even though there was an intervening redirect script.
This referer had the original session-id in it.
So a page like: page.asp?session-id=aasdfdasfdsafadsfadsf
which pointed to a redirect script for http://cnn.com like:
redirect.asp?url=http://cnn.com
At cnn.com, the HTTP_REFERER = page.asp?session-id=aasdfdasfdsafadsfadsf
not redirect.asp?url=http://cnn.com as I would have hoped.
I don't need these non-cookie secure sessions myself, but if
I am going to give ASP developers a session option, it should be
possible to make secure.
Here is how I solved the problem with redirecting offsite when I am using
the URI for session tracking. Since I have never used ASP or Apache::ASP,
I am not sure if you could implement this somehow.
I fixup all offsite URL's (in my Racing_Links Section) so that the href
looks like this:
a href='/Redirect_External?redir_url=http://url.toget.com/blahblahblah'
target='new'
The Redirect_External handler looks like this:
===
package Apache_Car::Redirect_External;
use strict;
use Apache::Constants qw|OK|;
sub handler {
my $r = shift;
my $params = $r-pnotes('Params_REF');
my $redir_url = $params-{'redir_url'};
$r-content_type('text/html');
$r-send_http_header;
print qq|htmlheadmeta http-equiv=refresh
content='0;URL=$redir_url'/headbody/body/html|;
return OK;
}
1;
__END__
I just use a meta refresh using 0 seconds and the requested uri. The key
is to make sure that you keep the user local on your site by having them
request a uri that does not have the session-key in the uri. I tried this
with both netscape and IE4,5 and a real benefit was the the refreshed page
actually showed no referer in the apache logs for the requested site.
I guess you could implement this by changing the external link uri's to
point local, then dish out a page with the 0 second refresh.
my $.02
Bill
-- Joshua
_
Joshua Chamas Chamas Enterprises Inc.
NodeWorks free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com1-714-625-4051
===
Bill Desjardinshttp://www.carracing.com
[EMAIL PROTECTED]Tel: 305.205.8644
FREE Homepages for Racers and Race Tracks!!
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Bill Desjardins wrote: I don't need these non-cookie secure sessions myself, but if I am going to give ASP developers a session option, it should be possible to make secure. Here is how I solved the problem with redirecting offsite when I am using the URI for session tracking. Since I have never used ASP or Apache::ASP, I am not sure if you could implement this somehow. I fixup all offsite URL's (in my Racing_Links Section) so that the href looks like this: a href='/Redirect_External?redir_url=http://url.toget.com/blahblahblah' target='new' ... print qq|htmlheadmeta http-equiv=refresh content='0;URL=$redir_url'/headbody/body/html|; return OK; } meta refresh === Brilliant !! Thanks Bill for this excellent work around. --Joshua _ Joshua Chamas Chamas Enterprises Inc. NodeWorks free web link monitoring Huntington Beach, CA USA http://www.nodeworks.com1-714-625-4051
