Then it's not really a session id that's needed, but rather, a client id?
----- Original Message -----
From: "Robert Sanderson" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, June 13, 2002 6:20 PM
Subject: Re: result set model for srw
> > > Yes. Otherwise you could subvert other users' result sets as
> > > you don't know who created it.
>
> > Not so. In SRW (unlike Z39.50) the result set name is really a result
> > set identifier generated by the server rather than requested by the
> > client. So in SRW the result set name effectively acts as a session id.
>
> Yes. But if they persist, which they must in some form, then they can be
> operated on.
>
> For example, I send to client A a result set named 'rs1'. The rogue DDOS
> client then sends me a request against a result set named 'rs1' which
> promptly disappears for the real user.
>
> In the time between the server sending the resultset name to the client, a
> different attacking client can send a request which uses that name. You
> simply can't avoid that. You need to have a way of determining if the
> client is allowed to operate on that result set.
>
>
> > This result set name only has limited life. One receipt of a second SRW
> > request to get the next 10 records, the server is perfectly at liberty
> > to respond with a new result set name (at an abstraction level this name
> > would be referencing the same result set) i.e. this is just a mechanism
> > to maintain state between SRW requests.
>
> I could send continuous (SOAP is HTTP/1.1 so includes pipelining and
> gzipping, making this even more effective) requests to trash random
> resultset names.
>
> Regardless of how quickly they disappear, or how obscurely they're named,
> without an identifier which uniquely identifies the connection to which
> the result set belongs, they can be subverted.
>
> Like Microsoft's "Security through Obscurity", this is no security at all.
>
> Rob
>
>
> --
> ,'/:. Rob Sanderson ([log in to unmask])
> ,'-/::::. http://www.o-r-g.org/~azaroth/
> ,'--/::(@)::. Special Collections and Archives, extension 3142
> ,'---/::::::::::. Twin Cathedrals: telnet: liverpool.o-r-g.org 7777
> ____/:::::::::::::. WWW: http://liverpool.o-r-g.org:8000/
> I L L U M I N A T I
>
|