session ID collision (security issue) & cookies (Expires vs. Max-Age)

Thread: session ID collision (security issue) & cookies (Expires vs. Max-Age)

Search this list only Search all lists
session ID collision (security issue) & cookies (Expires vs. Max-Age)
	2006-02-07 20:00:01
RFC or not many browsers (Internet Explorer and Safari at least) do not properly recognize the Max-Age directive in the cookies . Cherrypy is also using this and as a result the browsers will delete the cookies set like that when the browser is closed. For sessions this is not really a problem since (IMO) a session should get deleted when a browser is closed ... in many ways that is the definition of a session right? Plus it rarely causes problems in real life. If one is setting their own cookies however they must use the expires header as you do (which is also a lot messier to generate...).

session ID collision (security issue) & cookies (Expires vs. Max-Age)
	2006-02-07 20:23:52
> For sessions this is not really a problem since (IMO) a session > should get deleted when a browser is closed ... in many ways > that is the definition of a session right? Plus it rarely causes > problems in real life. I disagree. The sessionfilter will not match many people's expectations of what setting the max-age on the session cookie will do for you. Say you want to write a site like slashdot where it remembers you when you come back the next day after closing/opening your browser, are you suggesting we cannot use the sessionfilter module? The point of the sessionfilter is that it providers the handy cherrypy.session['userid'] type of access, and the tracking of the sessions in a database. If I can't use sessionfilter to define my user's login to last for 30 days or so, then in my app I going to rebuild all the functionality of the sessionfilter module, the sessions table and the the cherrypy.session object simply so that my cookie can say "expires" instead of "max-age"? I think that since sessionfilter advertises that it uses a cookie to store the session, then it should properly write out a cookie on all browsers - especially the most common browser. Otherwise the time you set in the max-age has no meaning. Jeff

session ID collision (security issue) & cookies (Expires vs. Max-Age)
	2006-02-07 21:52:20
what I was saying is that if you want to remeber users from one day to another, through browser openings and closings and server restarts etc the sensible thing to do is to explicitely set a cookie with the user id or whatever then based on this cookie you can then generate an up to date session. That's what most sites do. No large site, especially not slashdot will actually save the objects in your session for weeks that is just waste (and that's what not expiring a session means). Now you could use the session variable as a free vehicle and as a replacement for this user identification. Alas that will not work with the current cherrypy. All I'm saying is that in the end you're might be better off doing it properly rather than trying to solve a problem (rembering users for long term) with a solution that was never meant to work that way (storing data for short term) because if you choose the latter you'll soon find yourself needing all kinds of other "features" that should not be part of the framework rather then your own application. just an opinion i.

[1-3]

about | contact Other archives ( Real Estate discussion Medical topics )