[3875] in WWW Security List Archive
maintaining state and security
daemon@ATHENA.MIT.EDU (Security mailing lists)
Sat Dec 21 13:06:21 1996
Date: Sat, 21 Dec 1996 11:15:45 -0500 (EST)
From: Security mailing lists <security@beast.mfaa.com>
To: www-security@ns2.rutgers.edu
In-Reply-To: <9612211027.AB04874@uu10.psi.com>
Errors-To: owner-www-security@ns2.rutgers.edu
I have a rather large site on which I maintain state using CGI scripts
instead of cookies because we have a large number of users on older
browsers that will not support cookies. We run each page through a
script whaich adds on to each internal link this way:
Original link: /dir1/dir2/index.html
New link: /cgi/dealwithsession/sesionid/dir1/dir2/index.html
where sesionid is a unique number that allows us to pick up the user
name, etc if the user has signed in. We can then pick up the sesionid and
the page to modify and display from an environment variable.
The security problem comes when a search engine indexes all of my pages.
The search engine gets assigned a session id (lets say 123) it comes in
and produces a link to /cgi/dealwithsession/123/dir1/dir2/index.html.
Now a user finds the link on the engine and uses it. If link 123 has not
been used in a long time the session ID will have expired and a new one
will be assigned. Not a problem. If, however, the search engine just
finished indexing or its a popular engine and many people use it is
possible that 123 will not have expired and if 1 person logs in using
session 123 another can come along and be logged in. I could add the
remote IP address, but services like AOL change them in mid-session. As
the site gets busier this becomes a bigger problem. I could add a code
based on the page that the link is produced on, which would change, but
then if someone hit their back button a couple of times it would fail.
Any ideas on how to deal with this problem would be appreciated.
David Annis
david@annis.com
