0

I want to create a Ring/Compojure webapp that would enable a clojure repl. All of this is meant to be running on a local machine and the webapp is just a convenient GUI for the local user. Since it is a enabling a repl, I want it to be secure. But, I also want it to be convenient.

Here's my idea:

  • a user would run "lein ring server" to start the app.
  • this opens the web-browser and causes it to fetch "/" from the app.
  • any session request gets a unique session cookie, but the first session cookie is saved specially on the server
  • any requests later check to see the current session cookie == first session cookie

Do you believe this is secure? I'm concerned with requests to your machine from other hosts and this seems to do the trick. I'm worried about other users logged into the local machine--could they see that session cookie somehow? Would I have to enable an https server to really fix this?

I would certainly love to hear if this is a solved problem...

Thanks!

Roger Allen
  • 2,262
  • 17
  • 29
  • 3
    A web server can be configured to accept connections from localhost only. See [this question](http://stackoverflow.com/questions/24467539/lein-ring-server-headless-only-listen-to-localhost), for example. – ez121sl Oct 26 '14 at 03:02
  • Thank you. That eliminates the primary concern. But, I'm still curious if the first session cookie could be considered secure for requests from other users on localhost. – Roger Allen Oct 26 '14 at 15:33
  • There is always a time gap between the point when the server is ready to accept requests and the moment when the browser launched by lein sends its first request. That gap is usually short. But it is possible for some other client to connect during that period. – ez121sl Oct 26 '14 at 23:12
  • Agreed, ez121sl. But, the person starting the server would pretty immediately notice they couldn't get access and could react. You'd basically have to have someone lying in wait for this to be a concern. – Roger Allen Oct 27 '14 at 13:51
  • only you can decide what is or isn't an acceptable security risk for your application. – ez121sl Oct 27 '14 at 22:19
  • I suppose a secret that was printed to stdout on startup could be used to validate that the first connection was the intended user. – Roger Allen Oct 28 '14 at 19:41

0 Answers0