[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnumed-devel] GNUmed web interface - authentication
From: |
Luke Kenneth Casson Leighton |
Subject: |
Re: [Gnumed-devel] GNUmed web interface - authentication |
Date: |
Thu, 7 Oct 2010 20:19:42 +0100 |
On Thu, Oct 7, 2010 at 7:54 PM, Sebastian Hilbert
<address@hidden> wrote:
> On Thursday 07 October 2010 11:44:49 Richard Taylor wrote:
>> Hi
>>
> Richard,
>
> Thanks for your comments.
>
>> Quick introduction: I just stumbled over GNU Med (followed a link from
>> Linux Weekly News). I am a Python programmer and I have some experience
>> of working on security issues in medical systems. I know very little
>> about GNUmed, so please forgive me if I am say something that you are
>> all fed up with discussing already :-)
>>
> nah :-)
>
>> It looks to me that there is a security problem with using session
>> cookies as the method of linking the user identity to the database
>> connection between requests. The concern is that it would be quite easy
>> to steel the cookie (either by monitoring the network or by pulling it
>> from the browser cookie store) and then hijacking the session.
>
> That is indeed a problem.
you'd use HTTPS to alleviate the network monitoring issue, and i'd
say that if the user allows access to the machine that is running the
browser, such that the cookies could be obtained, you have a much
bigger problem than just the cookies being obtained.
i would absolutely love it for somebody else to replace the
non-persistent-HTTP1.0->persistent-HTTP1.1 proxy that i had to write,
it would be great.
l.