Is Session secure?
438 views
Skip to first unread message
cx42net
Apr 4, 2011, 9:16:53 AM4/4/11
to play-framework
Hi!
While working a Play! project, I looked at the existing cookies Play!
generated.
As I was expecting, I saw a cookie dedicated to the session (with a
session ID) but what struck me was the fact that all the other
information normally stored in the session were also in that cookies
(a session.put ("key", value) would be visible in the cookie as
key=value&etc..)
Is it possible to change these values directly from the cookie ? or is
there a test that is made against, say, the session ID to verify that
data aren't been changed from the browser ?
Thanks for the reply!
While working a Play! project, I looked at the existing cookies Play!
generated.
As I was expecting, I saw a cookie dedicated to the session (with a
session ID) but what struck me was the fact that all the other
information normally stored in the session were also in that cookies
(a session.put ("key", value) would be visible in the cookie as
key=value&etc..)
Is it possible to change these values directly from the cookie ? or is
there a test that is made against, say, the session ID to verify that
data aren't been changed from the browser ?
Thanks for the reply!
David Wursteisen
Apr 4, 2011, 9:24:59 AM4/4/11
to play-fr...@googlegroups.com
the cookie is signed. It will be invalidated if you change any data
http://www.playframework.org/documentation/1.0/controllers#session
http://www.playframework.org/documentation/1.0/controllers#session
2011/4/4 cx42net <cx4...@gmail.com>
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.
cx42net
Apr 4, 2011, 9:27:57 AM4/4/11
to play-framework
That is all I wanted to ear! Thanks!
On 4 avr, 15:24, David Wursteisen <david.wurstei...@gmail.com> wrote:
> the cookie is signed. It will be invalidated if you change any datahttp://www.playframework.org/documentation/1.0/controllers#session
>
> 2011/4/4 cx42net <cx42...@gmail.com>
On 4 avr, 15:24, David Wursteisen <david.wurstei...@gmail.com> wrote:
> the cookie is signed. It will be invalidated if you change any datahttp://www.playframework.org/documentation/1.0/controllers#session
>
Ivan San José García
Apr 4, 2011, 9:29:49 AM4/4/11
to play-fr...@googlegroups.com
Session cookie is signed with your application secret. If anyone change the contents of this cookie, the sign will not match, and Play! ignores this request automatically
王宜国
Nov 25, 2013, 8:10:56 AM11/25/13
to play-fr...@googlegroups.com
i used play session in my restfull api server, if some one copy the cookie from client A to another client B, is it validate?
在 2011年4月4日星期一UTC+8下午9时29分49秒,ivansjg写道:
在 2011年4月4日星期一UTC+8下午9时29分49秒,ivansjg写道:
Will Sargent
Nov 25, 2013, 1:06:00 PM11/25/13
to play-fr...@googlegroups.com
You are still open to replay attacks, if that's what you mean. You can protect against it by storing some state on the server. http://jaspan.com/improved_persistent_login_cookie_best_practice
More generally, you should only store the session ID in the cookie, and then pull session data from a key / value store you control.
Will Sargent
Consultant, Professional Services
Typesafe, the company behind Play Framework, Akka and ScalaTo unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages