I appreciate the goal of the continuation web server in Racket as trying to avoid the "inversion of control" problem which plagues much web development. But I wonder if the default continuation web server is very secure?
Looking at the URI generated by the continuation web server... http://localhost:34691/servlets/standalone.rkt;(("k" . "(1 1 2810783)")) That's the id used to retrieve the continuation, right? Presumably this is effectively the session of something someone is doing that's important. This doesn't look very high entropy... I'm guessing I could manage to intercept someone's continuation/session. A very large random number would be needed to prevent this. Even then, keeping random identifiers "secret" is not easy due to unfortunate ways the web has developed. For more on why: https://www.w3.org/TR/capability-urls/ Referer headers are especially nasty in this way. Waterken uses URI fragments to get around this in a secure way, since browsers do not transmit the URI fragment to the server: http://waterken.sourceforge.net/web-key/ Unfortunately, in order to do this it must do its protocol over an AJAX'y (or equivalent) type dynamic client interface, which is frequently undesirable. It seems to me like the continuation web server can be used for cool demos and low-security projects, but the continuation system is probably not very safe for most production deployment? I wish this weren't the conclusion I was drawing, as the design seems quite nice. Another way to get around this design problem would be to use cookies, maybe signed if necessary (not sure it would be, since a large opaque bearer token may be sufficient). I am not a huge fan of that design in some ways but it may be the best option available given the options available within the insecurity of modern web browser design. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
