There are two questions in your email.
The first is about the security of data in session. By default web2py
sessions are stored in files. The data in those files is only accessible to
the application, not to the user. The user is linked to the session file
via a cookie. If somebody were to steal a cookie while the session is
active, the attacker would be able to download files on behalf of the
legitimate user. We provide some additional security mechanisms: 1) force
secure sessions (the cookie would only travel over https). 2) link the
session to the IP of the client (so even if stolen would not work from
another IP).
This is as secure as in any other framework.
Sessions can be stored in DB which no practical security difference.
Sessions can be stored in encrypted cookies. I do not recommend this
because it limits the session size. It may be less secure.
Your second question is about which download link to use. Exposing the
file_id in my opinion is not a serious information leak. The attacker
cannot do anything with it. Anyway, if you have secure sessions (over
https) the file_id would be encrypted using ssl so it would not leak
(except to the NSA). If you store the file_id in session you have a problem
if the user keeps multiple browser windows open since the downloads can be
mixed up (this to me is a bigger hazard).
Massimo
On Monday, 16 September 2013 01:20:57 UTC-5, weheh wrote:
>
> How secure is session? I'm considering 2 methods for downloading a file:
> The first is via an A('Download', _href=URL('download', 'file',
> args=[file_id])). The second would be to have session.file_id = file_id and
> then have only A('Download', _href=URL('download', 'file')), which causes
> the app to get the file_id from session.
>
> Assuming my app is bullet proof and only allows permitted users to access
> their accessible file_ids, then wouldn't the use of session in the second
> case be more secure because the file_id is never publicly exposed, and
> thereby hackable?
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
