[WEB SECURITY] standards for session tokens

Randall Hansen randall at raan.net
Fri Dec 1 01:32:52 EST 2006


On Thu, Nov 30, 2006 at 09:43:44PM -0500, Brian Eaton wrote:

> The scalability penalty is in needing to maintain the session store on
> the server.

I agree that this is an issue, but not I think a deal-breaker.
Starting from the given that sessions are very useful, a little extra
horsepower on the server seems a good trade-off.

> The reliability penalty comes when you start worrying about server
> failure.

I'd trust a server under the control of a good sysadmin much more than
a user's browser cache.

> Maybe even shared across applications written in different
> languages, by different people?

With a little work, this is possible today.  Not across different
servers, but OTOH a cross-server API to encrypted client-side
credentials would be an irresistable attack vector.

> Something that could be reviewed, attacked, improved, and eventually
> widely deployed and widely trusted?

I think that's a nice idea, but the bottom line is that storing
encrypted credentials on the client requires trusting that client.
That's the root of many security problems, and is IMHO intractable.

r

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061130/20d03559/attachment.asc>


More information about the websecurity mailing list