[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnumed-devel] GNUmed web interface - authentication

From: Luke Kenneth Casson Leighton
Subject: Re: [Gnumed-devel] GNUmed web interface - authentication
Date: Thu, 7 Oct 2010 20:19:42 +0100

On Thu, Oct 7, 2010 at 7:54 PM, Sebastian Hilbert
<address@hidden> wrote:
> On Thursday 07 October 2010 11:44:49 Richard Taylor wrote:
>> Hi
> Richard,
> Thanks for your comments.
>> Quick introduction: I just stumbled over GNU Med (followed a link from
>> Linux Weekly News). I am a Python programmer and I have some experience
>> of working on security issues in medical systems. I know very little
>> about GNUmed, so please forgive me if I am say something that you are
>> all fed up with discussing already :-)
> nah :-)
>> It looks to me that there is a security problem with using session
>> cookies as the method of linking the user identity to the database
>> connection between requests. The concern is that it would be quite easy
>> to steel the cookie (either by monitoring the network or by pulling it
>> from the browser cookie store) and then hijacking the session.
> That is indeed a problem.

 you'd use HTTPS to alleviate the network monitoring issue, and i'd
say that if the user allows access to the machine that is running the
browser, such that the cookies could be obtained, you have a much
bigger problem than just the cookies being obtained.

 i would absolutely love it for somebody else to replace the
non-persistent-HTTP1.0->persistent-HTTP1.1 proxy that i had to write,
it would be great.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]