I'm wondering if modern web browsers are still vulnerable to "Cross-Site Cooking" attack when cookies are set from another domain?
They should be equipped to deal with this exploit today.
See: This blog post.
Related
I have a Joomla site and I want to block Internet Explorers users visiting the site but showing them a custom page to upgrade to another browser.
thanx in advance
Wow, that's a bad idea and I hate IE. You have to keep in mind that there are many users that don't have the option to switch browsers - most users surfing from work are not allowed to install any software so you would be impacting your traffic pretty seriously.
Really, there is no valid reason not to support IE7/8 or newer. It's not hard to make sites work in IE if they are coded well. Stick to good practices and most issues are simply not an issue.
That said, if you REALLY want to do this, all you need is a simple bit of javascript that detects the browser's user agent then redirects as needed. There are hundreds of scripts for detecting user agents, just Google it.
I'm aware of different ways to specify cookie lifetime in desktop, but what about mobile? I suppose some cookies may "die" earlier than configured because of lack of the space on mobile device. Does anyone have any research on this?
It is more of a network issue than space on the phone. Some mobile networks may discard cookie information. This was the case with many networks as recent as 3 years ago. Unfortunately I don't have any information about which ones.
We'll be developing mobile applications (for both iOS and Android platforms) that will be using web services. I'll be the one implementing the web services part and I plan on using Apache CXF.
It would be the first time I'm using CXF but I'm highly considering it because of its integration with Spring.
What are the potential issues (if any) with using CXF for mobile apps? If there are, is there supposed to be a better alternative to CXF? If there are none, any best practices I should also be considering?
Thanks!
I've been through the mobile ringer... WAP, J2ME, Brew, embedded languages, etc. Mobile development is exciting and also a bit scary...
Spring Integration: There is a big difference between * and **... be careful when setting up filters. It's easy to get out of hand securing end-points.
Authentication: How will your mobile devices authenticate and what is their role in Authentication, Authorization, and Access? Session management on occasionally connected devices - can get interesting. If a session goes stale how are you going to handle challenge / response?
App Security: Does your solution require SSL? Managing self-signed certificates is painful and time consuming. Do yourself and your mobile devs a favor and get a CA certificate in place up-front. You will save time (money) and a great deal of headache.
Proxy Power: Ideally, the people writing the front-end should be using an IDE that supports some kind of tethering for realtime debugging. Being able to add a breakpoint and introspect what's going on in the code... is mint. However, I haven't seen an IDE yet that gives front-end mobile devs the same experience as back-end devs. My guess is that your mobile devs are going all goo-goo eyes over jQuery. Understandably so! WebStorm and Aptana are good in the JS arena - but they're still evolving.
This is a problem front-end mobile devs need to work out... right? Yes... and no. Without proper tools everyone in the dev-chain will have to cook-up their own ways of answering questions like:
What did the mobile app send?
Was the request formed correctly?
What was the response?
Again, save yourself some time and finger-pointing and just sit down together (front and back-end devs) and work out a tech-stack that provides everyone optimal access to all app communications. Configurable logging on the server is a good idea to have in place from inception. Are you familiar with Firebug or Charles Proxy? A proxy can greatly simplify the debugging equation - just sayin'
Exceptions: Oh... and beware HTTP response codes. Exceptions on the server-side should be gracefully handled to prevent mobile consumers from choking on responses. Yikes - that's all I can say is YIKES!
Service / Life Cycle: Have you calculated the duration of the service and / or life cycle of your application? Knowing this can greatly impact architectural decisions.
Web Services: My knee-jerk reaction - is this the best technology for your product? Why Web Services? Can you come up with three concrete reasons why WS is the best option? From my experience, the most compact protocol will usually lead to the best user experience.
Food for thought... ASP.NET and JSon make a good pair.
http://encosia.com/using-jquery-to-consume-aspnet-json-web-services/
SOAP-XML is cumbersome. :-(
http://openlandscape.net/2009/09/25/call-soap-xm-web-services-with-jquery-ajax/
Have you considered RESTful Web Services? If you're using CXF... there are three different ways to build RESTful Web Services.
JAX-RS (CXF has an implementation of JSR-311 baked-in)
JAX-WS (more complicated - meh)
HTTP Binding (deprecated... may be removed from CXF in the future - fair warning)
More at: http://cxf.apache.org/docs/restful-services.html
Examples: http://solutionsfit.com/blog/2010/04/21/enterprise-mashups-with-restful-web-services-and-jquery-part-1/
Alternatives: There are so many great projects out there... Axis2 and Shiro come to mind. Without knowing more about your solution - it's difficult to recommend anything.
Final Thoughts: As a back-end dev, I would recommend getting familiar with the entire app tech stack and kick-off development with a series of small but functional samples that light the way through the obstacles mentioned above. Hold-on to the samples! They may prove useful in zeroing in on regression.
Mobile devices are getting faster and faster every day... it's true, but any dev worth their salt will know that they need to code to a common denominator if they want a mobile product to be widely consumed, adopted, and embraced.
I'm new to web development and I'm trying to develop my own prototype. There are certain ragged edges with my code. I'll lump together making the markup cross-browser compatible, detecting if JS is turned on for the client browser, and testing if cookies are enabled for client.
General question, but does pretty much every site out there test for cookies within their login view? I know how to do this, I was just curious if it's so blatantly necessary.
Obviously, if cookies are disabled, the auth framework won't work. How often do clients turn off cookies these days?
Might be a naive question or I may have answered myself but hey, I'm curious.
Brendan
Cookies and other authentication are handled by the session Middleware in Django. The pylons documentation has a bit more detailed explanation of how WSGI handles requests/responses, and how they make their way from the server, up into your code here.
Typically in Django, you use the #login_required decorator in your views, and the Session middleware handles the implementation details (like clients who have cookies disabled, as you mentioned).
For other stuff that you can put in a cookie, you use the Httprequest.Cookies array.
Duplicate: this must be a duplicate of one of the questions that come up in the following search: Please close it as a duplicate if you agree, and add any answers to one of the other questions.
What is the most RESTful form of authentication? What websites use it? (so I can go look at the documentation).
Looking at some APIs that claim to be REST are really POX
(ex. Remember the Milk - http://www.rememberthemilk.com/services/api/methods/)
I don't know if this is the 'most RESTful' form, but Amazon's S3 uses an authentication method which is documented here. Each request is signed, so there is no session to track on the backend, but you can still securely verify what user issued the request.
The most RESTful authentication method is probably HTTP Basic. Because it has some significant weaknesses (replay attacks), most APIs tend to shy away from it.
Open Sourcery has a well-thought-out article on RESTful authentication. Sounds like there are no awesome solutions right now beyond simple user/pass auth over SSL and then keeping auth info in subsequent request headers.