[fixing formatting, I hope]
Hi,
In the documentation for Hunchentoot it says that start-session either uses a cookie or url rewriting to maintain the session state. Then it goes on to say:
Hunchentoot makes some reasonable effort to prevent eavesdroppers from hijacking sessions (see below), but this should not be considered really secure. Don't store sensitive data in sessions and rely solely on the session mechanism as a safeguard against malicious users who want to get at this data!
What is it referring to when it says "see below?" If we assume malicious users can get at the data, is this different from session hijacking?
I am assuming (maybe incorrectly) that the following sequence is as secure as the user name and password.
- User connects via https (no session exists) - Since no session exists, user is redirected to some login page - User enters user name and password and submits form - This information is authenticated and a session is created: - (setf hunchentoot:*session* (start-session)) - On subsequent requests, since the user has a session, we can assume they are authenticated.: - (unless hunchentoot:*session* (redirect-to-login-page))
I guess it all hinges on start-session and how it generates the session id's.
Thanks.