Support #265
Session issues
| Status: | Closed | Start: | 01/12/2010 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
When a user reloads the page, a new session is created. This could lead to a serious denial of service attack if someone keeps refreshing the page. Moreover, a users can steal another user's session (and all the data associated with it) by copying their session ID. Is there a way to lock the sessions down?
History
Updated by Koen Deforche about 2 years ago
- Status changed from New to Resolved
There are several ways to reduce the risk of a denial of service attack:
- If your application requires authentication, put authentication in a separate form before the application, and check submitted values from the environment.
- Disable reload-is-new-session in the configuration (perhaps use cookies to avoid the ugly session id in the url).
- Use the default bootstrap mode (not the progressive mode) to avoid denial of service attacks using a command-line tool like wget: the application is then only started after a second request which needs to be of the right format.
- There is no way to avoid that one user steals another user's session (an idea such as enforcing client IP addresses does not work for multi-home users and does not work within organizations that sit behind a NAT). If you care about security, use encryption (SSL).
- In any case, provide enough swap space so that unused sessions can be swapped out.
Updated by Koen Deforche about 2 years ago
- Tracker changed from Bug to Support
Updated by Koen Deforche almost 2 years ago
- Status changed from Resolved to Closed