Wandering Thoughts archives

2006-08-25

NoSessionCookies

Please don't use session cookies

Recently I have become quite irritated at a couple of websites that I visit regularly. See, they have a membership system, and I'm a duly paid member (I like them and it has some benefits (that I rarely use)), and they recently switched to using session cookies for logins. Which means that every day when I visit, I get to make a time-wasting detour through their login page.

It's tempting to think that if you use session cookies, the users are 'more secure' than if you give your cookies an explicit expiry time because they will expire sooner. This is clearly false: as implied by the name, session cookies last for the entire browser session, however long that is. It could be minutes, but it could also be weeks (and yes, I know people who keep their browsers around that long, myself included).

(RFC 2965 session cookies can have an explicit expiry time, but I don't know how widely they're supported. Original style session cookies are created by omitting the expiry time when you set them (cf RFC 2109).)

If your security needs really require people's sessions to expire relatively rapidly, you need to do this on the server end: have a maximum idle time or a maximum duration (or both). You can use session cookies too, but you should consider them only an extra bit of safety for the user.

(Hint: if you think your security needs require this and you are not using https, I am going to laugh at you.)

In fact, if your security needs require people's sessions to expire at all, you need to use explicit timers (on your end). Otherwise you might as well serve up persistent cookies with a conveniently large expiry time. (DWiki uses a year.)

One reason to consider using session cookies

Apparently, some people and some browsers are more willing to accept session cookies than persistent cookies (an issue brought to my attention by Tom Boutell).

However, if you're using session cookies for this reason, please send both a session cookie and a persistent cookie, and consider the user logged in if you see either cookie. That way you are not inconveniencing the people who are willing to accept your persistent cookies.

(If you see only the persistent cookie, don't try to reissue the session cookie; it's pointless and will annoy the user in some browser configurations.)

(2 comments.)
NoSessionCookies written at 16:26:18; Add Comment

StupidSpiderMistakesII

Another stupid spider mistake

To follow up my earlier entry on this stuff, I just saw another stunned monkey moment:

  • you can't randomly add a trailing slash to URLs any more than you can randomly remove them.
  • especially when the URL includes a query parameter, because then you're changing the query. And that always works really well.

From the pattern of the stealth spider's requests, I think it is adding the trailing slash on any URL that doesn't end in a filename with an extension. This is stunningly braindead, as extensions are nothing more than a hack workaround so webservers don't need real metadata about what MIME type a file is.

(It also has other problems, like not properly resolving relative URLs that use '..'.)

This stunned monkey moment is brought to you by the idiotic stealth spider running from 204.11.99.2, which is claimed to belong to a 'Goo Khim Yeung' as 204.11.99.0/29. (Assuming that the WHOIS information is accurate, which it isn't always.)

StupidSpiderMistakesII written at 11:35:05; Add Comment

2006-08-04

FirefoxExtensions

My current set of Firefox extensions

I've been using a lot of different machines lately and thus customizing Firefox on them, which means I've been playing around with Firefox extensions a bunch more than usual (new environments are both a good way to find out what I find essential and to play with things I'm not sure about in an expendable setting). This makes it a good time to write down my current set of them for future (and current) reference.

Essential extensions that I turn out to install everywhere:

All-In-One Gestures
I installed this a while back on a whim and then discovered I can't live without it, because it means I can often browse without having to take my hand off the mouse.
NoScript
I browse with Javascript off, but some sites really need it (like Google Maps). NoScript lets me selectively enable JS only for such sites (instead of having to turn it on globally), and it's convenient and unobtrusive (with the right settings; I recommend turning off all of the noisy notifications).

Additional extensions I have installed on my core machines:

PrefBar
This used to be the best way of enabling Javascript when I needed it, but has been supplanted in my affections by NoScript. I keep it around mostly to have a quick way of disabling and enabling my filtering proxy. (Oddly it is not on addons.mozilla.org.)
Nightly Tester Tools
I need this so I can force extensions to be enabled in my personal, compiled from the bleeding edge CVS trunk Firefox builds. If you don't run CVS trunk or nightly builds you probably have no use for this.

Extensions that I am experimenting with:

Stylish
My current solution to the Slashdot problem. I'm not sure that browsing Slashdot justifies an entire extension, but it works, with the drawback that you have to be able to write CSS.
CookieSafe
My latest attempt to find an extension that deals with cookies like NoScript deals with Javascript. It's OK so far, and as a bonus it's a good way to see basic information about the cookies I've allowed a website to dump on me.

(My usual way to deal with cookies is to let my filtering proxy eat them, but this doesn't work when the cookies are being thrown at me by Javascript on a site where I've temporarily enabled Javascript. Yet I haven't wanted to just drop all unapproved cookies, because sometimes a JS-using site turns out to need them too.)

And finally, popular extensions that I don't (currently) use for various reasons:

  • Flashblock: My Linux version of Flash doesn't work without Javascript turned on, so I get the effects for free.
  • AdBlock: I solve this problem with a filtering proxy.
  • GreaseMonkey: I haven't found a need so far, since I tend to just avoid sites that require random mangling in order to be acceptable.
  • SessionSaver: Firefox almost never crashes on me (despite running bleeding edge CVS versions), and current trunk Firefox builds have this built in.

Note that my tastes in extensions are pretty minimal, much like my tastes in the rest of my Firefox setup. There are any number of nice extensions that I don't have installed just because I don't work in the their area often enough to make it worthwhile (this is why there are no web development extensions here, for example).

(One comment.)
FirefoxExtensions written at 23:22:52; Add Comment

(Previous month | Next month)
By day for August 2006: 4 25; before August; after August.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.