--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to a topic in the Google Groups "play-framework" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/play-framework/9d8W2SSRGx8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to play-framewor...@googlegroups.com.
I understand that Play encrypts session cookies; therefore they can't be edited by the client. The client sees his cookies as gibberish.
If an attacker copies client's cookies, can he effectively identify himself as that client? How to secure an application in this regard?
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to a topic in the Google Groups "play-framework" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/play-framework/9d8W2SSRGx8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to play-framewor...@googlegroups.com.
1. User inactivity. In the original report this is marker as “Session Timeout” and recommended at fifteen minutes. This can be extended to meet business needs/use-cases and there is some debate on what is exactly an appropriate value. For this reasons it is marked as low. During the retest I left a session for two hours and it was still active. Is there a compelling business case for this level or can it be reduced to increase security?
2. User logs out. This is an explicate request from the user to terminate their current session, this is the new finding and is marked as “Insufficient Session Expiration”. The server should honour this immediately and expire the session. From the link the following sums this up “For the ideal secure web application, a user should be able to terminate at any time through the user interface”. This requires actions on both the client and server end (session cookie no longer valid).
The 2nd seems to require some kind of storing session information server-side (or within a distributed cache). I should note however that we were using HTTPS and this was carried out by actually using an Interception Proxy.
What is everyone's thoughts on this? Does it seem like overkill to have to store session on the server or is this a valid security concern in this case?
Thanks,
Fraser
If you have a session cookie, you have a session cookie. A timeout value is something that you can put into the session cookie, but Play doesn't include that logic by default.
Storing session information in a low latency server side datastore is a great way to check that the session id is valid. If you have private information you want to keep in your session, you want that kept server side as well.
I would checkout this link as a good reference for authentication:
https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication
Also checkout session fixation attacks as well, which is a weakness of client only based cookies:
https://security.stackexchange.com/questions/55876/understanding-session-fixation-vulnerability
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/609c3a59-014c-43f1-ae11-960681d1e966%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.