On 22 Jul 2010, at 12:49, Anjo Krank wrote:
Why would you "preserve" the session id when it's no longer valid?
Cheers, Anjo
Am 22.07.2010 um 13:28 schrieb Patrick Middleton:
in order to sanitize inputs -- mostly by removing anything
containing the likes of '<script'. What do you think?
Preserve the session id when it's no longer valid? Anjo, are you
saying my application should have sanitised its inputs?
When I wrote the app I considered how a session ID might not be
valid, and what the app would do:
timed out: give a 'timed out' response page
ought to exist, but the instance has crashed and restarted: give a
'timed out' response page
redirected to the wrong instance by the load balancer: give a 'timed
out' response page
and so on.
I didn't explicitly preserve the session ID. What I did not consider
was someone cooking up an interesting bogus sessionID and then
finding a page accessible by a direct action that had some component
action URLs on it, so that in the event of the session ID not being
valid, I would need to takes steps to ensure it did not appear in the
response.
Moreover, while the sessionID is an excellent place to start for
anybody probing for security vulnerabilities in a WO app, it's not
the only place -- I think every form value, cookie and CGI argument
needs to be sanitised.
---
Regards Patrick
OneStep Solutions Plc
www.onestep.co.uk
This email, including any attachments, is confidential and intended solely for
the person or organisation to whom it is addressed. If you are not the intended
recipient you must not disseminate, distribute or copy any part of this email
nor take any action in reliance on it.
If you have received this in error please notify the sender immediately by
email or phone +44 (0)1702 426400 and delete this email and any attachments
from your system.
Email transmission cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not accept liability
for any errors or omissions in the contents of this message which arise as a
result of email transmission. If verification is required please request a
hard-copy version.
OneStep Solutions LLP is registered in England and Wales under registration
number OC337173 and has its registered office at 457 Southchurch Road,
Southend-on-Sea, Essex SS1 2PH.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
