Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Joshua Chamas [EMAIL PROTECTED] writes: It reoccured to me just now (back from a sessions methods discussion a long time ago) that these query string cookies might show up in the referer logs of other sites if you have offsite links on your session id pages. I tried a workaround just now where a redirect program would handle offsite links, but the HTTP_REFERER is sticky to the last page visited, and I see no workaround to this security issue. Instead of redirecting them offsite present a page saying "you're about to go offsite" and use a refresh meta tag to send them on their way. If you set the timeout on the refresh to 0 they won't even see the page and I would expect the referrer to still be set. You might even be able to use a refresh header instead of a meta tag and just use a static html page. -- greg
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
"Serge" == Serge Sozonoff [EMAIL PROTECTED] writes: Serge Hello, It will work fine, but the problem still remains that the incoming page URL has the session-id in it, so that when you go offsite, the referer header sent by the client has the client's session id in it still, and the unethical webmaster could easily then access the users sessions by looking at the referer logs. Serge There is a little article about cookie-less sessions at: Serge www.webdevelopersjournal.com/columns/stateful.html And this method requires client-side javascript enabled (mine is not, thank you), *and* frames your entire site, so bookmarking is useless. Nope, I wouldn't put it into the "useful robust" category. You're still back to: cookies (maybe disabled) hidden fields (only with form submissions) mangled URLs (all pages must be dynamic generated) auth (like BasicAuth where you "log in") And one *new* one that I pondered recently, that can be used as long as you presume HTTP/1.1... I don't have time to write it up here, but it permits: 1) bookmarking of sessions 2) no rewriting of URLs for static pages, even if they have links 3) access to session ID even by mod_cgi scripts 4) new sessions are started by a simple external redirect 5) one simplePerlTransHandler could provide the master session-start for any URL downside: you must have access to a UDP port 53 somewhere and DNS delegation I'll write up more after I've done some testing. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
sorry - you peaked my interest so I have to jump the gun a little. are you basing it on unique host names which are resolved by some type of dns delegation? if so, only problem is with SSL pages. the host name has to match the one in the certificate otherwise the browser will give a warning. in this case we would have to rely on the first HTTP_REFERER from a non SSL page, and then back to mangled URL's or hidden fields (we know we are using a form or we wouldn't need SSL). cliff rayman genwax.com "Randal L. Schwartz" wrote: "Serge" == Serge Sozonoff [EMAIL PROTECTED] writes: Serge Hello, It will work fine, but the problem still remains that the incoming page URL has the session-id in it, so that when you go offsite, the referer header sent by the client has the client's session id in it still, and the unethical webmaster could easily then access the users sessions by looking at the referer logs. Serge There is a little article about cookie-less sessions at: Serge www.webdevelopersjournal.com/columns/stateful.html And this method requires client-side javascript enabled (mine is not, thank you), *and* frames your entire site, so bookmarking is useless. Nope, I wouldn't put it into the "useful robust" category. You're still back to: cookies (maybe disabled) hidden fields (only with form submissions) mangled URLs (all pages must be dynamic generated) auth (like BasicAuth where you "log in") And one *new* one that I pondered recently, that can be used as long as you presume HTTP/1.1... I don't have time to write it up here, but it permits: 1) bookmarking of sessions 2) no rewriting of URLs for static pages, even if they have links 3) access to session ID even by mod_cgi scripts 4) new sessions are started by a simple external redirect 5) one simplePerlTransHandler could provide the master session-start for any URL downside: you must have access to a UDP port 53 somewhere and DNS delegation I'll write up more after I've done some testing. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Serge Sozonoff wrote: Hello, It will work fine, but the problem still remains that the incoming page URL has the session-id in it, so that when you go offsite, the referer header sent by the client has the client's session id in it still, and the unethical webmaster could easily then access the users sessions by looking at the referer logs. There is a little article about cookie-less sessions at: www.webdevelopersjournal.com/columns/stateful.html Anything to help get through this mess, and come up with a good solution, thanks Serge! I read the article, and found it kind of funny that the author thought that client side JavaScript was a better solution than Cookies... which do you think get turned off more by end users ? I bet its nearly equal, there are at least as many security issues involving javascript as there are with cookies, and javascript can be far more visibly intrusive. Jamie, if you want to see our previous discussion here on cookieless sessions, check out: http://www.egroups.com/MessagesPage?listName=modperlsearch=%22asp+cookieless+sessions%22 -- Joshua _ Joshua Chamas Chamas Enterprises Inc. NodeWorks free web link monitoring Huntington Beach, CA USA http://www.nodeworks.com1-714-625-4051
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Hello, It will work fine, but the problem still remains that the incoming page URL has the session-id in it, so that when you go offsite, the referer header sent by the client has the client's session id in it still, and the unethical webmaster could easily then access the users sessions by looking at the referer logs. There is a little article about cookie-less sessions at: www.webdevelopersjournal.com/columns/stateful.html Serge !--! ! Serge Sozonoff ! ! http://www.skiphotos.ch ! !--!
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
On Tue, 7 Dec 1999, Joshua Chamas wrote: I am going to give ASP developers a session option, it should be possible to make secure. Stas Bekman wrote: But if you intercept the redirection, why not to strip/modify the HTTP_REFER header at the server side? how about a call to something like a href="%= $Server-StripSession('evil.perl.com') %"evil perl session pirates/a that calls something which strips the referer and redirects. remi __ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one place. Yahoo! Shopping: http://shopping.yahoo.com
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
On Tue, 07 Dec 1999, Joshua Chamas wrote: What options are there anyone, for real cookieless sessions, without this security risk ??? We can't use IP authentication because of proxies/NAT, maybe an SSL cert, but not everyone has this, the UserAgent is not stratified enough to mean much, so that what, when we are trying to get past cookies here. I don't think there's a real option for making it secure. However I think the prefix (or postfix) method used in the Eagle book is a good one. Simply change the config to: PerlTransHandler Apache::ASP and in the handler go: sub handler { my $url_session = $r-dir_config('URLSessions'); if ($r-current_callback eq 'PerlLogHandler') { if ($url_sessions) { # Get session ID from URL # store in notes or pnotes # Remove session ID from URL } else { # Get session ID from cookie # store in notes or pnotes } return $r-push_handler('PerlHandler', \handler); } Am I missing some reason this won't work? -- Matt/ Details: FastNet Software Ltd - XML, Perl, Databases. Tagline: High Performance Web Solutions Web Sites: http://come.to/fastnet http://sergeant.org Available for Consultancy, Contracts and Training.
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Matt Sergeant wrote: I don't think there's a real option for making it secure. However I think the prefix (or postfix) method used in the Eagle book is a good one. Simply change the config to: PerlTransHandler Apache::ASP and in the handler go: sub handler { my $url_session = $r-dir_config('URLSessions'); if ($r-current_callback eq 'PerlLogHandler') { if ($url_sessions) { # Get session ID from URL # store in notes or pnotes # Remove session ID from URL } else { # Get session ID from cookie # store in notes or pnotes } return $r-push_handler('PerlHandler', \handler); } Am I missing some reason this won't work? It will work fine, but the problem still remains that the incoming page URL has the session-id in it, so that when you go offsite, the referer header sent by the client has the client's session id in it still, and the unethical webmaster could easily then access the users sessions by looking at the referer logs. -- Joshua _ Joshua Chamas Chamas Enterprises Inc. NodeWorks free web link monitoring Huntington Beach, CA USA http://www.nodeworks.com1-714-625-4051
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Secure sessions are hard work. You need to sit down and evaluate whether or not you actually need *secure* sessions. If you decide that enough is at stake to really tighten the screws, then read on. The problem of the session ID in HTTP_REFERER is easy to tackle. You just need to rewrite every URL on your secure site to be a redirect from a page that doesn't include the session ID. For example: http://cnn.com/ becomes http://myhost.com/strip_session?url=http://cnn.com/ and the HTTP_REFERER at cnn.com doesn't include the session ID. Clearly the path strip_session needs to not require a session ID. -jwb On 12/07/99, Joshua Chamas wrote: Serge Sozonoff wrote: Hi Joshua, I was wondering if you could give us a little update on the status of Sessions w/o cookies for Apache::ASP? Have you started coding it already or is it at the bottom of a big list of things to do? Many Thanks, Serge I have been working with Remi Fasol on this, and what we have so far is a set up that uses the QueryString for keeping track of session ids, in addition to the cookie implementation that exists. The QueryString method represents nice backup to the existing cookie implementation for users that have cookies turned off, but functionally is not as nice because someone will get a new session id when reentering the site. So if a user starts browsing off site, and instead of hitting the back button, just reenters your URL in the location bar, they will start a new session. Remi commented that Amazon's sessions seem to have the same limitations. These cookieless sessions are implemented with a config setting SessionQueryStringID that if set, ASP will automatically parse out of the QueryString the session-id, and use that if there is no such session-id cookie. Then, whatever URL's you want the system to keep track of, the web developer uses the $Server-URL($url, { %params }) API extension to create a URL that will have a session id built into it. This $Server-URL() method will be nice for just building URL's in general with or without the cookieless sessions, as it will joing the params hash into a nice ?query_string automatically. It reoccured to me just now (back from a sessions methods discussion a long time ago) that these query string cookies might show up in the referer logs of other sites if you have offsite links on your session id pages. I tried a workaround just now where a redirect program would handle offsite links, but the HTTP_REFERER is sticky to the last page visited, and I see no workaround to this security issue. What options are there anyone, for real cookieless sessions, without this security risk ??? We can't use IP authentication because of proxies/NAT, maybe an SSL cert, but not everyone has this, the UserAgent is not stratified enough to mean much, so that what, when we are trying to get past cookies here. -- Joshua _ Joshua Chamas Chamas Enterprises Inc. NodeWorks free web link monitoring Huntington Beach, CA USA http://www.nodeworks.com1-714-625-4051 -- Jeffrey Baker * [EMAIL PROTECTED]
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Jeffrey Baker wrote: Secure sessions are hard work. You need to sit down and evaluate whether or not you actually need *secure* sessions. If you decide that enough is at stake to really tighten the screws, then read on. The problem of the session ID in HTTP_REFERER is easy to tackle. You just need to rewrite every URL on your secure site to be a redirect from a page that doesn't include the session ID. For example: http://cnn.com/ becomes http://myhost.com/strip_session?url=http://cnn.com/ and the HTTP_REFERER at cnn.com doesn't include the session ID. Clearly the path strip_session needs to not require a session ID. -jwb Does this really work ? I tried this locally, and it didn't. The HTTP_REFERER was still sent as from the original page even though there was an intervening redirect script. This referer had the original session-id in it. So a page like: page.asp?session-id=aasdfdasfdsafadsfadsf which pointed to a redirect script for http://cnn.com like: redirect.asp?url=http://cnn.com At cnn.com, the HTTP_REFERER = page.asp?session-id=aasdfdasfdsafadsfadsf not redirect.asp?url=http://cnn.com as I would have hoped. I don't need these non-cookie secure sessions myself, but if I am going to give ASP developers a session option, it should be possible to make secure. -- Joshua _ Joshua Chamas Chamas Enterprises Inc. NodeWorks free web link monitoring Huntington Beach, CA USA http://www.nodeworks.com1-714-625-4051
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Does this really work ? I tried this locally, and it didn't. The HTTP_REFERER was still sent as from the original page even though there was an intervening redirect script. This referer had the original session-id in it. So a page like: page.asp?session-id=aasdfdasfdsafadsfadsf which pointed to a redirect script for http://cnn.com like: redirect.asp?url=http://cnn.com At cnn.com, the HTTP_REFERER = page.asp?session-id=aasdfdasfdsafadsfadsf not redirect.asp?url=http://cnn.com as I would have hoped. I don't need these non-cookie secure sessions myself, but if I am going to give ASP developers a session option, it should be possible to make secure. Here is how I solved the problem with redirecting offsite when I am using the URI for session tracking. Since I have never used ASP or Apache::ASP, I am not sure if you could implement this somehow. I fixup all offsite URL's (in my Racing_Links Section) so that the href looks like this: a href='/Redirect_External?redir_url=http://url.toget.com/blahblahblah' target='new' The Redirect_External handler looks like this: === package Apache_Car::Redirect_External; use strict; use Apache::Constants qw|OK|; sub handler { my $r = shift; my $params = $r-pnotes('Params_REF'); my $redir_url = $params-{'redir_url'}; $r-content_type('text/html'); $r-send_http_header; print qq|htmlheadmeta http-equiv=refresh content='0;URL=$redir_url'/headbody/body/html|; return OK; } 1; __END__ I just use a meta refresh using 0 seconds and the requested uri. The key is to make sure that you keep the user local on your site by having them request a uri that does not have the session-key in the uri. I tried this with both netscape and IE4,5 and a real benefit was the the refreshed page actually showed no referer in the apache logs for the requested site. I guess you could implement this by changing the external link uri's to point local, then dish out a page with the 0 second refresh. my $.02 Bill -- Joshua _ Joshua Chamas Chamas Enterprises Inc. NodeWorks free web link monitoring Huntington Beach, CA USA http://www.nodeworks.com1-714-625-4051 === Bill Desjardinshttp://www.carracing.com [EMAIL PROTECTED]Tel: 305.205.8644 FREE Homepages for Racers and Race Tracks!!
Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)
Bill Desjardins wrote: I don't need these non-cookie secure sessions myself, but if I am going to give ASP developers a session option, it should be possible to make secure. Here is how I solved the problem with redirecting offsite when I am using the URI for session tracking. Since I have never used ASP or Apache::ASP, I am not sure if you could implement this somehow. I fixup all offsite URL's (in my Racing_Links Section) so that the href looks like this: a href='/Redirect_External?redir_url=http://url.toget.com/blahblahblah' target='new' ... print qq|htmlheadmeta http-equiv=refresh content='0;URL=$redir_url'/headbody/body/html|; return OK; } meta refresh === Brilliant !! Thanks Bill for this excellent work around. --Joshua _ Joshua Chamas Chamas Enterprises Inc. NodeWorks free web link monitoring Huntington Beach, CA USA http://www.nodeworks.com1-714-625-4051