Is session secure?
51 views
Skip to first unread message
Fauché JM
Jul 3, 2009, 5:30:43 PM7/3/09
to web2py Web Framework
hello,
In my application I have a function with Public and Privates ways,
Do you think it is secure to do like this:
def index():
if not session.group:session.group='Public'
redirect(URL(r=request,f='function'))
return dict()
def fonction():
...
if session.group=='Public':
...
form=there a form to choose a private group
if form.accepts...:
redirect(URL(r=request,f='sas'))
else:
...
there accès to privates informations to the private
session.group
...
....
return dict(form=form,...)
@auth.requires_membership(session.group)
def sas():
session.flash="now you are in the private group %s" %session.group
redirect(URL(r=request,f='function'))
return dict()
Thank you
Jean-Marc
In my application I have a function with Public and Privates ways,
Do you think it is secure to do like this:
def index():
if not session.group:session.group='Public'
redirect(URL(r=request,f='function'))
return dict()
def fonction():
...
if session.group=='Public':
...
form=there a form to choose a private group
if form.accepts...:
redirect(URL(r=request,f='sas'))
else:
...
there accès to privates informations to the private
session.group
...
....
return dict(form=form,...)
@auth.requires_membership(session.group)
def sas():
session.flash="now you are in the private group %s" %session.group
redirect(URL(r=request,f='function'))
return dict()
Thank you
Jean-Marc
mdipierro
Jul 3, 2009, 5:37:11 PM7/3/09
to web2py Web Framework
It depends on the missing code but I do not think it is secure because
this
@auth.requires_membership(session.group)
will work even if session.group='Public'
this
@auth.requires_membership(session.group)
will work even if session.group='Public'
Fauché JM
Jul 3, 2009, 6:02:48 PM7/3/09
to web2py Web Framework
In fact the 'Public' group don't exist in db.auth_membership (it is a
'virtual group' and can't be created)
when trying my code it works and if session.group='Public' the user is
redirect by "auth.on_failed_authorization"...
But is it secure to use a session.variable in @auth.requires_membership
()?
independently of my code
Note :at first I tryed to use a tupple as session.group=('id','role')
and when using @auth.requires_membership(session.group[1]) ...it
generate a ticket issue witch link generate a ticket issue
witch ..etc...
Jean-Marc
'virtual group' and can't be created)
when trying my code it works and if session.group='Public' the user is
redirect by "auth.on_failed_authorization"...
But is it secure to use a session.variable in @auth.requires_membership
()?
independently of my code
Note :at first I tryed to use a tupple as session.group=('id','role')
and when using @auth.requires_membership(session.group[1]) ...it
generate a ticket issue witch link generate a ticket issue
witch ..etc...
Jean-Marc
Fauché JM
Jul 3, 2009, 6:24:22 PM7/3/09
to web2py Web Framework
Sorry, when session.group='Public' it never redirect on sas because in
code :
form=...choice of a group in [auth_membership+'Public']
if form.accepts(request.vars,session):
session.group=form.vars.group_choice
if session.group != 'Public':
redirect(URL(r=request,f='sas'))
code :
form=...choice of a group in [auth_membership+'Public']
if form.accepts(request.vars,session):
session.group=form.vars.group_choice
if session.group != 'Public':
redirect(URL(r=request,f='sas'))
mdipierro
Jul 3, 2009, 7:53:59 PM7/3/09
to web2py Web Framework
That is the point. security should not depend on the history but on
the state of the user.
Even you do not redirect the user there, nothing prevents the user
from editing the url.
the state of the user.
Even you do not redirect the user there, nothing prevents the user
from editing the url.
Fauché JM
Jul 4, 2009, 7:32:55 AM7/4/09
to web2py Web Framework
ok,I anderstand,but in URL I think there is only: path/args
Are session values appears in URL ?
Have the user any way to look at or/and setting session.values?
Thank you
Jean-Marc
Are session values appears in URL ?
Have the user any way to look at or/and setting session.values?
Thank you
Jean-Marc
mdipierro
Jul 4, 2009, 11:40:29 AM7/4/09
to web2py Web Framework
No sessions only live server side
Reply all
Reply to author
Forward
0 new messages