Re: soyMAIL redux

JF Mezei wrote:
Mark Daniel wrote:

There's a new v0.3.8 BETA kit available from the download page


I have a question for you (general).

How does Soy/Yah mail handle "logged in sessions" ? Is it one process
which just keeps multiple mail contexts/mail files opened at a time and
chooses the right one upon reception of an HTTP transaction from a user
? Or does it create a subrpocess/detached process for each user and that
process is then re-used for every transaction for that one user ?

It's based on CGI (the lowest common denominator supported by the three servers) and so each HTTP request is pretty much independent and handled by an autonomous scripting process. That said, soyMAIL stores some state in it's own request data. Of course this is all used internally by soyMAIL and does not relate to the server environment itself.

soyMAIL's authentication and authorization is handled by the supporting server environment. soyMAIL neither performs nor stores any data related to this. It just uses whatever the server passes along in the REMOTE_USER CGI variable. The browser must supply with each request to the server the authorization credentials (in request field "Authorization:.."). Hence, and in common with anything of this ilk, should only be used with SYSUAF authentication on the most secure of intranets or via SSL on the Internet.

Or is context fully kept by the remote browser and sent as a cookie or
GET/POST parameters and the Soy/Yah mail process then re-establishes
context to the proper mail files for every transaction ?

As explained above, no sensitive data is handled or stored by soyMAIL. soyMAIL-internal data is passed from request-to-request in internal 'state' variables (which can be seen encoded towards the bottom of a soyMAIL page HTML source). It does not use cookies.

VMS callable mail context must be opened and then closed during each request cycle. This does not seem to be prohibitive for either soyMAIL performance, request latency or system impact. soyMAIL code goes to significant lengths to perform well against callable mail and RMS. Some of these optimisations will be described in a forthcoming 'Ping' article from the UK hpUG

http://www.hpug.org.uk/

(for subscribers). You'll probably also find it on the WASD site after publication.
.

Relevant Pages

  • [REVS] NTLM HTTP Authentication is Insecure By Design
    ... in front of a web server, and that proxy server shares a single TCP ... These are attacks that make use of non-RFC HTTP requests (HTTP Request ... the authentication is associated with the ...
    (Securiteam)
  • [NT] 04WebServer Multiple Vulnerabilities (CSS, Log File Injection, AUX DoS)
    ... 04WebServer is a HTTP server developed by Soft3304 for Windows platforms. ... Characters into Log File ... filtering on the request URL before writing it into the log file. ... following HTTP request, when submitted to a vulnerable 04WebServer, will ...
    (Securiteam)
  • Re: breaking the model
    ... > The forms data then is in the Request object. ... HTTP Request; in this case, the form POST Request from the Page. ... client and server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Anonymous Anonymity - Request For Comments
    ... > and request that you reply directly to my e-mail address. ... > for the entity wishing to preserve their anonymity. ... > the machine can perform as a Intermediary Server and / or as a Intermediary ... > The software then attempts connection to a Intermediary Server. ...
    (Bugtraq)
  • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
    ... We have complete control of the Request and Response ... it is up to the browser to send the credentials. ... ASP runs internally on the server. ...
    (microsoft.public.inetserver.iis.security)