[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler instead of CookieCrumbler

Simon Eisenmann simon at struktur.de
Tue Oct 12 09:13:48 EDT 2004


On Tue, 2004-10-12 at 15:04 +0200, Jean-Marc Orliaguet wrote:
> >
> > There is still the possibility to steal your sessionid, but atleast you
> > won't get your password stolen. People tend to use the same password for
> > many logging in to the computer at work, for checking email, for the
> > computer at home, for bank accounts, etc etc. Stealing your sessionid
> > will perhaps authenticate the person to your site, but it will not allow
> > him to use your bank accounts.
> >
> 
> That is precisely the problem: with the session ID you can steal the
> base64 encrypted user:password string that is stored by SessionCrumbler in
> the session.
> 

How is this supposed to work? I suppose this still requires some kind of
server script actually reading the session from the server memory,
doesnt it? The only thing that is transmitted (either per cookie or url)
is the browser Id .. which means the thing that connects sessions to
browsers and not the session data itself. Correct me if i am wrong.

Cheers,
 Simon


-- 
Simon Eisenmann

[ mailto:simon at struktur.de ]

[ struktur AG | Friedrichstr. 14 | 70174 Stuttgart ]
[ T. +49.711.896656.68 | F.+49.711.89665610 ]
[ http://www.struktur.de | mailto:info at struktur.de ]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.zope.org/pipermail/zope-cmf/attachments/20041012/b270a83e/attachment.bin


More information about the Zope-CMF mailing list