On Sun, 23 Dec 2007 23:04:20 +0100, Edi Weitz wrote:
[snip]
The explanation of the details of the session mechanism, specifically *USE-REMOTE-ADDR-FOR-SESSIONS* and *USE-USER-AGENT-FOR-SESSIONS*.
[snip]
To hijack a session someone has to get at the session ID. That's not Hunchentoot's problem, but if you (see above) already start with https, that's certainly a good thing. The question is what you can do with a foreign session ID once you have it. How long does it last? Will it work with different browsers and/or from different IPs? And so on.
Hunchentoot tries to provide a couple of options, but eventually you will have to make a decision.
Ok, thank you for your clarifications. I went through the source and noticed that the session id's are generated sequentially. So one other way that sessions can be hijacked is by guessing the session ID. Of course, this is if you do not use the IP address and user agent options that you mentioned above. Otherwise, even if you use SSL, your session can be hijacked.
Hypothetically speaking, if I wanted to prevent hijacking by guessing, I could just redefine hunchentoot:get-next-session-id.
Does this sound correct?
Btw, great set of libraries. I don't know how you do it. My theory is that you are really three people.