[Zope] How SESSIONs work

Milos Prudek milos.prudek@tiscali.cz
Thu, 21 Feb 2002 11:00:34 +0100


> Generally, you don't.  The easiest way to prevent session theft is to
> encode the stream, that is, use https.

Absolutely.

Perhaps I misunderstood. You said that sessionid key is not 
cryptographically secure. Did you mean the Zope implementation in 
particular, or Cookie-based sessioning in general?

I lack experience with cookie theft. My understanding is that a cookie 
theft is achieved either because server side was tricked by a third 
party to divulge the cookie *or* en-route ISP is simply listening and 
capturing HTTP traffic. In either case the third party can then set the 
cookie in his browser and finish the transaction that the original 
cookie owner started, and otherwise impersonate the cookie owner if this 
cookie persists between browser sessions. Is this correct?


> This is not strictly true.  You can invalidate the sessionid on the
> both server and client when the transaction is done and issue a new one.

So if I gather information from user on five screens and I use cookie to 
maintain information entered in previous screens, that's what sessioning 
is about, isn't it? Do you suggest that I should invalidate the cookie 
after each of these five screens and issue a new one? That would trash 
the data maintained in the original session (I'm using CST, 
CoreSessionTracking).

-- 
Milos Prudek