Featured Level of The Week

Come talk about the game, your Contraptions, and your solutions!

Featured Level of The Week

Postby tes753 on Wed Apr 14, 2010 4:11 pm

Featured Level of the Week (updated: 12/31)
Wiki Page

Note: Due to a lack of levels (and time), all future levels will the the levels from the Fantastic Contraption 2 featured level series. Go here to view the official thread.

Thank you for your support!
Last edited by tes753 on Fri Dec 31, 2010 11:12 am, edited 7 times in total.
User avatar
tes753
 
Posts: 322
Joined: Fri Dec 26, 2008 8:27 am
Location: FCWiki

Re: Featured Level of The Week (Retake!)

Postby Kai Laddiman on Thu Apr 15, 2010 2:59 am

I quite like this one i made: http://fantasticcontraption.com/?levelId=529344

It isn't brilliant but it looks cool :)
User avatar
Kai Laddiman
 
Posts: 497
Joined: Fri Apr 17, 2009 9:47 am
Location: Running a kompetition

Re: Featured Level of The Week (Retake!)

Postby Feste on Sun Apr 18, 2010 9:37 pm

2 of my better ones, they both got designs that said "Awesome level":
http://fantasticcontraption.com/?levelId=531167
http://fantasticcontraption.com/?levelId=530073
User avatar
Feste
 
Posts: 653
Joined: Tue Mar 10, 2009 1:13 pm
Location: Vermont

Re: Featured Level of The Week (Retake!)

Postby bitasy1 on Thu Jul 08, 2010 4:01 pm

This is my very best level. It's my first one using FCML and coincidentally my 100'th level.
http://fantasticcontraption.com/?levelId=548201
User avatar
bitasy1
 
Posts: 66
Joined: Sat Aug 16, 2008 11:43 am
Location: I wont allow anyone to stalk me!

Re: Featured Level of The Week (Retake!)

Postby uuuiiiooop on Sat Jul 10, 2010 12:27 pm

Here is an easy level I have from a while back.

http://fantasticcontraption.com/?levelId=541157
User avatar
uuuiiiooop
 
Posts: 624
Joined: Sun Nov 09, 2008 2:41 pm
Location: More than five hundred thousand levels. Over eleven million designs.

Re: Featured Level of The Week (Retake!)

Postby zhyrek on Sat Jul 10, 2010 1:20 pm

uuuiiiooop wrote:Here is an easy level I have from a while back.

http://fantasticcontraption.com/?levelId=541157

Fun: http://fantasticcontraption.com/?designId=10958430
User avatar
zhyrek
 
Posts: 3510
Joined: Tue Mar 10, 2009 4:11 pm
Location: RPI

Re: Featured Level of The Week (Retake!)

Postby helvellyn on Tue Aug 10, 2010 6:11 pm

I dont remember seeing this before. Anti-levels! The aim is to stop the solve!

http://fantasticcontraption.com/?levelId=553882

http://fantasticcontraption.com/?levelId=553943

http://fantasticcontraption.com/?levelId=553979

OK. They're all pretty straightforward, but you gotta give them something for originality :)

And I'm sure some of the expert level builders here could come up with some seriously elegent variations on ths theme.

It even comes with it's own addition to the FC jargon!

Antichamp! The act of getting the ball(s) to stay in the workshop!
Last edited by helvellyn on Tue Aug 10, 2010 6:42 pm, edited 2 times in total.
helvellyn
 
Posts: 3
Joined: Sun Jul 27, 2008 1:04 pm

Re: Featured Level of The Week (Retake!)

Postby rianbay812 on Tue Aug 10, 2010 6:13 pm

Hey I'm going to make a shuffle like that! It could be a really intriguing idea. Something that FC has done a lot lately.
User avatar
rianbay812
 
Posts: 1821
Joined: Sun Feb 22, 2009 5:55 pm
Location: Georgia Institute of Technology: Atlanta, Georgia

Re: Featured Level of The Week (Retake!)

Postby BoredDude2 on Fri Aug 20, 2010 8:38 am

Here is one of mine: http://fantasticcontraption.com/?levelId=555415
It is called Slip Under.
User avatar
BoredDude2
 
Posts: 183
Joined: Mon Dec 22, 2008 2:51 pm
Location: Stuck in a sarlacc's stomach

Re: Featured Level of The Week (Retake!)

Postby lightin on Tue Nov 02, 2010 11:11 pm

lightin
 
Posts: 2
Joined: Tue Nov 02, 2010 10:52 pm

Re: Featured Level of The Week (Retake!)

Postby supersoraunder on Fri Nov 05, 2010 7:50 pm

http://www.fantasticcontraption.com/?levelId=463359 this level is MESSED UP! Leave it alone, and it will go normally, but add ANY piece, and for some reason it will go a different way!
supersoraunder
 
Posts: 11
Joined: Sat Jun 13, 2009 2:29 am

Re: Featured Level of The Week (Retake!)

Postby Paleo8 on Fri Nov 05, 2010 9:12 pm

http://www.fantasticcontraption.com/?designId=11222613 ha.... you can do anything in the build area and get a solve
User avatar
Paleo8
 
Posts: 2164
Joined: Sun Oct 19, 2008 7:56 am
Location: KCMO

Re: Featured Level of The Week (Retake!)

Postby Dean-o on Sat Nov 06, 2010 10:03 am

Paleo8 wrote:http://www.fantasticcontraption.com/?designId=11222613 ha.... you can do anything in the build area and get a solve

Lies.
User avatar
Dean-o
 
Posts: 1023
Joined: Thu Dec 31, 2009 4:34 pm
Location: Spreading its influence across the world for everyone to play.

Re: Featured Level of The Week (Retake!)

Postby schlag on Thu Dec 02, 2010 3:48 pm

yo dude here's a nice level...
http://www.fantasticcontraption.com/lev ... lId=570581
pretty dificult but possible (i have the only solve, see what you can do<(^_^)>)
schlag
 
Posts: 18
Joined: Sun Sep 21, 2008 6:06 am
Location: underground, dead

Re: Featured Level of The Week

Postby nate0023 on Wed Feb 16, 2011 9:23 am

Toronto always gives me the strange sensation of being in a parallel universe, one in which you might be in a great American city -- say, Detroit, St. Louis, or Cleveland -- if only we Americans had not gone through the cultural convulsions of the post-war era and tossed our cities into the dumpster of history. Hollywood uses Toronto constantly as a set for Anycity, USA, but the truth is that Toronto is in much better shape than almost any American city.

In Toronto you see office buildings every bit as hideous and grandiose as in America, and the same overly broad streets, poorly furnished with medians, trees, and other urban decor considered impediments to express motoring. But, despite these shortcomings, Toronto is alive. Its downtown streets are teeming with people. Multitudes of them actually live in the city center in apartment buildings and houses, and the sidewalks are jammed, in some places until late at night. The public realm, where the buildings meet the sidewalk, is activated. This demonstrates that a New World city can remain alive despite the formal idiocies of Modernist urban theory and practice. Toronto is what many American cities wish they could be.

Jane Jacobs, the American urbanist, author of "The Death and Life of Great American Cities," "Cities and the Wealth of Nations," "Systems of Survival," and other books, lives here. She will tell you in her own words below how she happened to land in Toronto.. I found her at home, in the Annex neighborhood on a serene residential street off Bloor, the main drag of the University of Toronto, which in that vicinity resembles the Eighth Street shopping district of Greenwich Village, where Ms. Jacobs lived and wrote so famously years ago. There are the boutiques and the bistros of all nations, along with copy shops, oriental groceries, and shoe-repair joints. Ms. Jacobs home, a block or so up from Bloor, is a Toronto "double," a type of semi-detached brick row house with a generous neo-classical white wooden porch, a Dutch-style gable-end, and ivy growing up the wall. It is still a bohemian street, with some houses in better shape than others, including some student slums, looking all in all casually dignified.

Ms. Jacobs lives here alone now, her architect-husband having passed away in in 1998. One son and his family live right down the block, though, and see her often. She is 83 now, and was a little incapacitated from knee surgery when I stopped by on a bright September afternoon this year. The inside of her house was pretty pure Sixties Bohemian Intellectual. The Jacobs had removed some interior walls, so the first floor kitchen, dining room, and living room all flowed together. There was a great groaning wall of books, of course, and other surfaces were still painted the bright colors of the Go-Go era, when the family moved there. Near the bay window in front she displayed a native-American breastplate and her tablecloth in the dining room was a bold aboriginal print. There were drawings by her daughter, who lives in the backwoods of British Columbia, and lots of family photographs everywhere. Her office is a spare bedroom upstairs in the rear where it is especially quiet.

Ms. Jacobs still looks like that famous photo of her taken in the White Horse tavern in the West Village three dacades ago (a cigarette in one hand and a beer mug in the other). Her hair is the same silvery helmet with bangs, and her big eyeglasses emphasize her role as the ever-penetrating observer, with an impish overlay. She still likes to drink beer, and worked on a bottle of some dark local brew while we talked. She was alert, humorous, and apart from her injured knee seemed to be in fine condition.

Jane Jacobs grew up in Scranton, Pa., the daughter of a doctor and a school-teacher. She worked briefly as a reporter for the Scranton Tribune and then went to New York City, where she plugged away as a freelance writer until she landed a staff job with Architectural Forum in 1952. The job gave her a priviliged perch for observing the fiasco of post-war "urban renewal" and all its evil consequences. A decade later, she seized the imagination of an otherwise extremely complacent era when she declared so starkly in "The Death and Life of Great American Cities" that the experiment of Modernist urbanism was a thumping failure, and urged Americans to look instead to the traditional wisdom of the vernacular city and its fundamental unit, the street, instead of the establishment gurus. This was the first shot in a war that has been ongoing ever since. Decades later, her book become one of the seminal texts of the New Urbanism (along with the books of Lewis Mumford, who was at first a great supporter of hers and then an adversary when she criticized the Garden Cities movement that was so dear to him. . . but she will tell you about that quarrel herself.)

Ms. Jacobs suffered the opprobrium of the architectural and planning establishment for decades. They never recovered from her frontal assualt, including the sinister Robert Moses, who fell from power not long after he tangled with Ms. Jacobs on his proposal to run a freeway through Washington Square. One can say pretty definitively that she won the battle and the war, though the enormous inertia of American culture still acts as a drag on a genuine civic revival here. By the mid 1960s, her interests and writings broadened to take in the wider issues of economics and social relations, and by force of intellect she compelled the cultural elite to take seriously this untrained female generalist -- and wonderful prose stylist -- who had the nerve to work out large ideas on her own. Naturally, her books are now part of the curriculum.

We were steated at her dining room table for the course of this dialog, which has been edited a follows.

James Howard Kunstler (JHK) and Jane Jacobs (JJ)

JHK: What was it like for you coming to New York for the first time?

JJ: The first time I was ever in New York I was twelve years old. Let’s see I was born in 1916 so that would have been 1928 and it was before the crash. And I went with the parents of some friends and I guess we drove there. I guess the car was left in New Jersey. Anyway we got over on a ferry and we landed in downtown Manhattan. And I was flabbergasted at all the people in the streets. It was lunchtime in Wall Street in 1928 and that was…the city was just jumping. It was all full of people.

JHK: What year did you come there to live full-time?

JJ: That was, let’s see, ’34.

JHK: And what was your impression then? Was it a different…ah?

JJ: Well, yes it was different…because it was the difference between the high tide of the twenties prosperity and depression.

JHK: Was it palpable—could you really feel it and see it?

JJ: I could see contrasts, even from that first visit. Especially downtown. There were a lot more unemployed people in ’34 and there weren’t any in ’28.

JHK: Where did you find yourself going when you got to New York in the twenties. Did you just naturally find your way into Greenwich Village or did you start elsewhere?

JJ: My sister was already there. She was six years older than I was.

JHK: What was she doing?

JJ: She had studied interior design in Philadelphia—the Pennsylvania Museum School of Industrial Arts—I don’t think it exists anymore, but it was a good school. And so she came to New York hoping to get a job as a designer. But she couldn’t in the Depression. She got a job in a department store—Abraham and Strauss in Brooklyn, in the home furnishings department—that was the nearest thing she could get to her line. So I came along and she had been living on East 94th Street. Imagine, she and several other girls they lived in this house. It was a rooming house. It was very cheap rent. This is a very expensive area now.

JHK: Yeah, but the Jacob Rupert Brewery was up there until 1957. I lived on 93rd Street for a while myself. You would go through these brewing cycles when the neighborhood would be full of this smell of beer and hops.

JJ: Well she moved to Brooklyn, Brooklyn Heights, to a house that is not there anymore. It was a six-story walk-up and we lived on the top floor. It was a nice neighborhood though. It was near the St. George Hotel. It was before the highways went in there. So I would go looking for a job every morning. I would look in the newspaper and see what seemed likely and which employment agencies were advertising. I would usually walk over the Brooklyn Bridge into Manhattan because we were there near the Brooklyn Bridge. And then after I was turned down for all these jobs I would spend the rest of the day looking around where I had ended up. Or if I had ended up in a place where I had already looked around I would spend a nickel on the subway and go arbitrarily to some other stop and look around there. So I was roaming the city in the afternoons and applying for jobs in the morning. And one day I found myself in a neighborhood I just liked so much…it was one of those times I had put a nickel in and just invested something. And where did I get out? I just liked the sound of the name: Christopher Street — so I got out at Christopher Street, and I was enchanted with this neighborhood, and walked around it all afternoon and then I rushed back to Brooklyn. And I said, "Betty I found out where we have to live." And she said, "Where is it?" And I said, "I don’t know, but you get in the subway and you get out at a place called Christopher Street." So we went to look for a place where you got out of the subway at Christopher Street.

JHK: What did you find?

JJ: We found an apartment on Martin Street. I had a job by then, I guess we didn’t go looking immediately. And one of those mornings I hit the jackpot and got a job.

JHK: And what was it?

JJ: It was in a candy manufacturing company as a secretary.

JHK: So you did a bit of secretarial stuff.

JJ: Oh I did secretarial work for about five years.

JHK: Did you have any inkling that you were going to be a professional intellectual?

JJ: No, but I did have an inkling that I was going to be a writer. That was my intention.

JHK: Did you hang out with any of the Greenwich Village bohemians of the day?

JJ: No.

JHK: Did you see them around?

JJ: Yes, I guess I did. But I didn’t have any money to hang out in bars. We were living very close to the bone. In fact there were considerable times when Betty and I were living on Pablum because my father was a doctor and he told us that the most important thing was to keep our health and that we should not skimp on nourishing food. So when we didn’t even have any money for nourishing food we knew that Pablum for babies was full of nourishment and we also knew that bananas were good and milk. And so that’s what we would live on until we got a little more money. It was a powder that you mixed up and it was not good.

JHK: Sounds a little grim.

JJ: Yeah, but we had a good time and we didn’t go for long periods on this and we did keep our health and it was nourishing food.

JHK: Well, yeah, if you think in the sense that astronauts eat stuff out of tubes.

JJ: That’s right. I don’t want to give you the impression that we lived for long periods like this. Maybe toward the end of the week…

JHK: Tell me how you found yourself venturing into the life of a public intellectual.

JJ: Well, I began writing articles right away. And this combined with my afternoons I had spent looking at different areas of the city, and I wrote a series of articles that Vogue bought about different areas of the city. The fur district—you see they had something to do with the kind of things that the readers of Vogue were presumably interested in—although I didn’t know who I was writing these for when I wrote them. But then I saw what I was doing and I tried this.

JHK: It must have been exciting to sell magazine articles.

JJ: It was. I got $40 a piece for them.

JHK: That was a lot of money then.

JJ: A lot of money! -- because at the job I had, I got twelve dollars a week. Of course I didn’t sell many of these. I wrote about the fur district, the flower district, the leather district, let me see, the diamond district, which was down on the Bowery then. So I was trying to be a writer all the time. And eventually, not right away, but later on, I got to write Sunday feature stories for the Herald Tribune. But I didn’t get paid as well for those. But then I wrote a few things for Q Magazine, oh about manhole covers, how you could tell what was running underneath you by reading what was on the manhole covers.

JHK: You hadn't gone to college, by the way?

JJ: Well, I hadn’t wanted to go to school after I finished high school. I was so glad to get out.

JHK: Were you a troublemaker?

JJ: Yes.

JHK: I sympathize—I didn’t like school either.

JJ: I would break paper bags in the lunch room and make explosions and I would be sent to the principal, and that kind of thing. I was not really a troublesome person. I was not really destructive in any way, but I was mischievous.

JHK: Were you a comedian?

JJ: Sort of, yeah.

JHK: Naturally I was reviewing some of your books the last couple of weeks. They stand up so beautifully. One would have to suppose at the time that you wrote The Death and Life of Great American Cities that you were pretty ticked off at American culture. For instance you wrote, "It may be that we have become so feckless as a people that we no longer care how things work but only the kind of quick, easy outer impression that they get." And you wrote that around 1960 or the late 50s.

JJ: Yeah, I was working on that book…I began in 1958 and finished it in 1960.

JHK: Well, it seems to me that American life has changed very little in that regard. In fact I actually go around on the lecture circuit telling audiences that we are a wicked people who deserved to be punished…and I am not religious. So what was your state of mind. Were you ticked off at American culture? Was it the culture of civic design? Was it Robert Moses? Was it some combination of those things? Was it the Bauhaus? What was it that was getting under your skin in those days?

JJ: Well what was getting immediately under my skin was this mad spree of deceptions and vandalism and waste that was called urban renewal. And the way it had been adopted like a fad and people were so mindless about it and so dishonest about what was being done. That’s what ticked me off, because I was working for an architectural magazine and I saw all this first hand and I saw how the most awful things were being excused.

JHK: You must have already been acquainted with things like Corbusier’s "Radiant City" and some of the schemes from the 20s and the Bauhaus. By this time Gropius had become installed at Harvard and Mies Van der Rohe…

JJ: I didn’t have any feeling about these one way or another. It was just another way of building. I didn’t have any ideology, in short. When I wrote that about "we may become so feckless as a people" I had no ideology.

JHK: But you were angry.

JJ: But I was angry at what was happening and what I could see first hand was happening. It all came to me first hand. I didn’t have any abstractions about American culture. In the meantime I had gone a couple years to Columbia but I hadn’t been taking classes in American Culture. I sat in on one in Sociology for a while and I thought it was so dumb. But I had a wonderful time with various science courses and other things that I took there. And I have always been grateful for what I learned in those couple of years. But I’ll tell you something that had been worrying me: I liked to visit museums that showed old time machines and tools and so forth. And I was very struck. There was one of these museums in Fredricksburg, Virginia, which was my father’s hometown. He was from a farm near Fredricksburg. I was very struck with the way these old machines were painted. They were painted in a way to show you how they worked. Evidently the makers of them and the users of them cared about how these things were put together and how what moved what so that other people would be interested in them. I used to like to go to the railroad station in Scranton and watch the locomotives. I got a big bang out of seeing the locomotives and those pistons that moved the wheels. And that interested me how they were moved by those things and then the connection of that with the steam inside and so on. In the meantime, along had come these locomotives that had skirts on them and you couldn’t see how the wheels moved and that disturbed me. And it was supposed to be for some aerodynamics reason, but that didn’t make sense. And I began to notice how everything was being covered up and I thought that was kinda sick.

JHK: So the whole streamlining of the 30s bugged you?

JJ: That’s right. So I remember very well what was in my mind "that we become so feckless as a people that we no longer care how things work." It was those skirts on the locomotives that I was thinking about and how this had extended to "we didn’t care how our cities worked anymore." We didn’t care to show where the entrances were in buildings and things like that. That’s all I meant. It was not some enormous comment on abstract American society. And I thought this is a real decadence of some sort.
User avatar
nate0023
 
Posts: 50
Joined: Sat Nov 22, 2008 12:59 pm

Re: Featured Level of The Week

Postby nate0023 on Wed Feb 16, 2011 9:25 am

Toronto always gives me the strange sensation of being in a parallel universe, one in which you might be in a great American city -- say, Detroit, St. Louis, or Cleveland -- if only we Americans had not gone through the cultural convulsions of the post-war era and tossed our cities into the dumpster of history. Hollywood uses Toronto constantly as a set for Anycity, USA, but the truth is that Toronto is in much better shape than almost any American city.

In Toronto you see office buildings every bit as hideous and grandiose as in America, and the same overly broad streets, poorly furnished with medians, trees, and other urban decor considered impediments to express motoring. But, despite these shortcomings, Toronto is alive. Its downtown streets are teeming with people. Multitudes of them actually live in the city center in apartment buildings and houses, and the sidewalks are jammed, in some places until late at night. The public realm, where the buildings meet the sidewalk, is activated. This demonstrates that a New World city can remain alive despite the formal idiocies of Modernist urban theory and practice. Toronto is what many American cities wish they could be.

Jane Jacobs, the American urbanist, author of "The Death and Life of Great American Cities," "Cities and the Wealth of Nations," "Systems of Survival," and other books, lives here. She will tell you in her own words below how she happened to land in Toronto.. I found her at home, in the Annex neighborhood on a serene residential street off Bloor, the main drag of the University of Toronto, which in that vicinity resembles the Eighth Street shopping district of Greenwich Village, where Ms. Jacobs lived and wrote so famously years ago. There are the boutiques and the bistros of all nations, along with copy shops, oriental groceries, and shoe-repair joints. Ms. Jacobs home, a block or so up from Bloor, is a Toronto "double," a type of semi-detached brick row house with a generous neo-classical white wooden porch, a Dutch-style gable-end, and ivy growing up the wall. It is still a bohemian street, with some houses in better shape than others, including some student slums, looking all in all casually dignified.

Ms. Jacobs lives here alone now, her architect-husband having passed away in in 1998. One son and his family live right down the block, though, and see her often. She is 83 now, and was a little incapacitated from knee surgery when I stopped by on a bright September afternoon this year. The inside of her house was pretty pure Sixties Bohemian Intellectual. The Jacobs had removed some interior walls, so the first floor kitchen, dining room, and living room all flowed together. There was a great groaning wall of books, of course, and other surfaces were still painted the bright colors of the Go-Go era, when the family moved there. Near the bay window in front she displayed a native-American breastplate and her tablecloth in the dining room was a bold aboriginal print. There were drawings by her daughter, who lives in the backwoods of British Columbia, and lots of family photographs everywhere. Her office is a spare bedroom upstairs in the rear where it is especially quiet.

Ms. Jacobs still looks like that famous photo of her taken in the White Horse tavern in the West Village three dacades ago (a cigarette in one hand and a beer mug in the other). Her hair is the same silvery helmet with bangs, and her big eyeglasses emphasize her role as the ever-penetrating observer, with an impish overlay. She still likes to drink beer, and worked on a bottle of some dark local brew while we talked. She was alert, humorous, and apart from her injured knee seemed to be in fine condition.

Jane Jacobs grew up in Scranton, Pa., the daughter of a doctor and a school-teacher. She worked briefly as a reporter for the Scranton Tribune and then went to New York City, where she plugged away as a freelance writer until she landed a staff job with Architectural Forum in 1952. The job gave her a priviliged perch for observing the fiasco of post-war "urban renewal" and all its evil consequences. A decade later, she seized the imagination of an otherwise extremely complacent era when she declared so starkly in "The Death and Life of Great American Cities" that the experiment of Modernist urbanism was a thumping failure, and urged Americans to look instead to the traditional wisdom of the vernacular city and its fundamental unit, the street, instead of the establishment gurus. This was the first shot in a war that has been ongoing ever since. Decades later, her book become one of the seminal texts of the New Urbanism (along with the books of Lewis Mumford, who was at first a great supporter of hers and then an adversary when she criticized the Garden Cities movement that was so dear to him. . . but she will tell you about that quarrel herself.)

Ms. Jacobs suffered the opprobrium of the architectural and planning establishment for decades. They never recovered from her frontal assualt, including the sinister Robert Moses, who fell from power not long after he tangled with Ms. Jacobs on his proposal to run a freeway through Washington Square. One can say pretty definitively that she won the battle and the war, though the enormous inertia of American culture still acts as a drag on a genuine civic revival here. By the mid 1960s, her interests and writings broadened to take in the wider issues of economics and social relations, and by force of intellect she compelled the cultural elite to take seriously this untrained female generalist -- and wonderful prose stylist -- who had the nerve to work out large ideas on her own. Naturally, her books are now part of the curriculum.

We were steated at her dining room table for the course of this dialog, which has been edited a follows.

James Howard Kunstler (JHK) and Jane Jacobs (JJ)

JHK: What was it like for you coming to New York for the first time?

JJ: The first time I was ever in New York I was twelve years old. Let’s see I was born in 1916 so that would have been 1928 and it was before the crash. And I went with the parents of some friends and I guess we drove there. I guess the car was left in New Jersey. Anyway we got over on a ferry and we landed in downtown Manhattan. And I was flabbergasted at all the people in the streets. It was lunchtime in Wall Street in 1928 and that was…the city was just jumping. It was all full of people.

JHK: What year did you come there to live full-time?

JJ: That was, let’s see, ’34.

JHK: And what was your impression then? Was it a different…ah?

JJ: Well, yes it was different…because it was the difference between the high tide of the twenties prosperity and depression.

JHK: Was it palpable—could you really feel it and see it?

JJ: I could see contrasts, even from that first visit. Especially downtown. There were a lot more unemployed people in ’34 and there weren’t any in ’28.

JHK: Where did you find yourself going when you got to New York in the twenties. Did you just naturally find your way into Greenwich Village or did you start elsewhere?

JJ: My sister was already there. She was six years older than I was.

JHK: What was she doing?

JJ: She had studied interior design in Philadelphia—the Pennsylvania Museum School of Industrial Arts—I don’t think it exists anymore, but it was a good school. And so she came to New York hoping to get a job as a designer. But she couldn’t in the Depression. She got a job in a department store—Abraham and Strauss in Brooklyn, in the home furnishings department—that was the nearest thing she could get to her line. So I came along and she had been living on East 94th Street. Imagine, she and several other girls they lived in this house. It was a rooming house. It was very cheap rent. This is a very expensive area now.

JHK: Yeah, but the Jacob Rupert Brewery was up there until 1957. I lived on 93rd Street for a while myself. You would go through these brewing cycles when the neighborhood would be full of this smell of beer and hops.

JJ: Well she moved to Brooklyn, Brooklyn Heights, to a house that is not there anymore. It was a six-story walk-up and we lived on the top floor. It was a nice neighborhood though. It was near the St. George Hotel. It was before the highways went in there. So I would go looking for a job every morning. I would look in the newspaper and see what seemed likely and which employment agencies were advertising. I would usually walk over the Brooklyn Bridge into Manhattan because we were there near the Brooklyn Bridge. And then after I was turned down for all these jobs I would spend the rest of the day looking around where I had ended up. Or if I had ended up in a place where I had already looked around I would spend a nickel on the subway and go arbitrarily to some other stop and look around there. So I was roaming the city in the afternoons and applying for jobs in the morning. And one day I found myself in a neighborhood I just liked so much…it was one of those times I had put a nickel in and just invested something. And where did I get out? I just liked the sound of the name: Christopher Street — so I got out at Christopher Street, and I was enchanted with this neighborhood, and walked around it all afternoon and then I rushed back to Brooklyn. And I said, "Betty I found out where we have to live." And she said, "Where is it?" And I said, "I don’t know, but you get in the subway and you get out at a place called Christopher Street." So we went to look for a place where you got out of the subway at Christopher Street.

JHK: What did you find?

JJ: We found an apartment on Martin Street. I had a job by then, I guess we didn’t go looking immediately. And one of those mornings I hit the jackpot and got a job.

JHK: And what was it?

JJ: It was in a candy manufacturing company as a secretary.

JHK: So you did a bit of secretarial stuff.

JJ: Oh I did secretarial work for about five years.

JHK: Did you have any inkling that you were going to be a professional intellectual?

JJ: No, but I did have an inkling that I was going to be a writer. That was my intention.

JHK: Did you hang out with any of the Greenwich Village bohemians of the day?

JJ: No.

JHK: Did you see them around?

JJ: Yes, I guess I did. But I didn’t have any money to hang out in bars. We were living very close to the bone. In fact there were considerable times when Betty and I were living on Pablum because my father was a doctor and he told us that the most important thing was to keep our health and that we should not skimp on nourishing food. So when we didn’t even have any money for nourishing food we knew that Pablum for babies was full of nourishment and we also knew that bananas were good and milk. And so that’s what we would live on until we got a little more money. It was a powder that you mixed up and it was not good.

JHK: Sounds a little grim.

JJ: Yeah, but we had a good time and we didn’t go for long periods on this and we did keep our health and it was nourishing food.

JHK: Well, yeah, if you think in the sense that astronauts eat stuff out of tubes.

JJ: That’s right. I don’t want to give you the impression that we lived for long periods like this. Maybe toward the end of the week…

JHK: Tell me how you found yourself venturing into the life of a public intellectual.

JJ: Well, I began writing articles right away. And this combined with my afternoons I had spent looking at different areas of the city, and I wrote a series of articles that Vogue bought about different areas of the city. The fur district—you see they had something to do with the kind of things that the readers of Vogue were presumably interested in—although I didn’t know who I was writing these for when I wrote them. But then I saw what I was doing and I tried this.

JHK: It must have been exciting to sell magazine articles.

JJ: It was. I got $40 a piece for them.

JHK: That was a lot of money then.

JJ: A lot of money! -- because at the job I had, I got twelve dollars a week. Of course I didn’t sell many of these. I wrote about the fur district, the flower district, the leather district, let me see, the diamond district, which was down on the Bowery then. So I was trying to be a writer all the time. And eventually, not right away, but later on, I got to write Sunday feature stories for the Herald Tribune. But I didn’t get paid as well for those. But then I wrote a few things for Q Magazine, oh about manhole covers, how you could tell what was running underneath you by reading what was on the manhole covers.

JHK: You hadn't gone to college, by the way?

JJ: Well, I hadn’t wanted to go to school after I finished high school. I was so glad to get out.

JHK: Were you a troublemaker?

JJ: Yes.

JHK: I sympathize—I didn’t like school either.

JJ: I would break paper bags in the lunch room and make explosions and I would be sent to the principal, and that kind of thing. I was not really a troublesome person. I was not really destructive in any way, but I was mischievous.

JHK: Were you a comedian?

JJ: Sort of, yeah.

JHK: Naturally I was reviewing some of your books the last couple of weeks. They stand up so beautifully. One would have to suppose at the time that you wrote The Death and Life of Great American Cities that you were pretty ticked off at American culture. For instance you wrote, "It may be that we have become so feckless as a people that we no longer care how things work but only the kind of quick, easy outer impression that they get." And you wrote that around 1960 or the late 50s.

JJ: Yeah, I was working on that book…I began in 1958 and finished it in 1960.

JHK: Well, it seems to me that American life has changed very little in that regard. In fact I actually go around on the lecture circuit telling audiences that we are a wicked people who deserved to be punished…and I am not religious. So what was your state of mind. Were you ticked off at American culture? Was it the culture of civic design? Was it Robert Moses? Was it some combination of those things? Was it the Bauhaus? What was it that was getting under your skin in those days?

JJ: Well what was getting immediately under my skin was this mad spree of deceptions and vandalism and waste that was called urban renewal. And the way it had been adopted like a fad and people were so mindless about it and so dishonest about what was being done. That’s what ticked me off, because I was working for an architectural magazine and I saw all this first hand and I saw how the most awful things were being excused.

JHK: You must have already been acquainted with things like Corbusier’s "Radiant City" and some of the schemes from the 20s and the Bauhaus. By this time Gropius had become installed at Harvard and Mies Van der Rohe…

JJ: I didn’t have any feeling about these one way or another. It was just another way of building. I didn’t have any ideology, in short. When I wrote that about "we may become so feckless as a people" I had no ideology.

JHK: But you were angry.

JJ: But I was angry at what was happening and what I could see first hand was happening. It all came to me first hand. I didn’t have any abstractions about American culture. In the meantime I had gone a couple years to Columbia but I hadn’t been taking classes in American Culture. I sat in on one in Sociology for a while and I thought it was so dumb. But I had a wonderful time with various science courses and other things that I took there. And I have always been grateful for what I learned in those couple of years. But I’ll tell you something that had been worrying me: I liked to visit museums that showed old time machines and tools and so forth. And I was very struck. There was one of these museums in Fredricksburg, Virginia, which was my father’s hometown. He was from a farm near Fredricksburg. I was very struck with the way these old machines were painted. They were painted in a way to show you how they worked. Evidently the makers of them and the users of them cared about how these things were put together and how what moved what so that other people would be interested in them. I used to like to go to the railroad station in Scranton and watch the locomotives. I got a big bang out of seeing the locomotives and those pistons that moved the wheels. And that interested me how they were moved by those things and then the connection of that with the steam inside and so on. In the meantime, along had come these locomotives that had skirts on them and you couldn’t see how the wheels moved and that disturbed me. And it was supposed to be for some aerodynamics reason, but that didn’t make sense. And I began to notice how everything was being covered up and I thought that was kinda sick.

JHK: So the whole streamlining of the 30s bugged you?

JJ: That’s right. So I remember very well what was in my mind "that we become so feckless as a people that we no longer care how things work." It was those skirts on the locomotives that I was thinking about and how this had extended to "we didn’t care how our cities worked anymore." We didn’t care to show where the entrances were in buildings and things like that. That’s all I meant. It was not some enormous comment on abstract American society. And I thought this is a real decadence of some sort.
Toronto always gives me the strange sensation of being in a parallel universe, one in which you might be in a great American city -- say, Detroit, St. Louis, or Cleveland -- if only we Americans had not gone through the cultural convulsions of the post-war era and tossed our cities into the dumpster of history. Hollywood uses Toronto constantly as a set for Anycity, USA, but the truth is that Toronto is in much better shape than almost any American city.

In Toronto you see office buildings every bit as hideous and grandiose as in America, and the same overly broad streets, poorly furnished with medians, trees, and other urban decor considered impediments to express motoring. But, despite these shortcomings, Toronto is alive. Its downtown streets are teeming with people. Multitudes of them actually live in the city center in apartment buildings and houses, and the sidewalks are jammed, in some places until late at night. The public realm, where the buildings meet the sidewalk, is activated. This demonstrates that a New World city can remain alive despite the formal idiocies of Modernist urban theory and practice. Toronto is what many American cities wish they could be.

Jane Jacobs, the American urbanist, author of "The Death and Life of Great American Cities," "Cities and the Wealth of Nations," "Systems of Survival," and other books, lives here. She will tell you in her own words below how she happened to land in Toronto.. I found her at home, in the Annex neighborhood on a serene residential street off Bloor, the main drag of the University of Toronto, which in that vicinity resembles the Eighth Street shopping district of Greenwich Village, where Ms. Jacobs lived and wrote so famously years ago. There are the boutiques and the bistros of all nations, along with copy shops, oriental groceries, and shoe-repair joints. Ms. Jacobs home, a block or so up from Bloor, is a Toronto "double," a type of semi-detached brick row house with a generous neo-classical white wooden porch, a Dutch-style gable-end, and ivy growing up the wall. It is still a bohemian street, with some houses in better shape than others, including some student slums, looking all in all casually dignified.

Ms. Jacobs lives here alone now, her architect-husband having passed away in in 1998. One son and his family live right down the block, though, and see her often. She is 83 now, and was a little incapacitated from knee surgery when I stopped by on a bright September afternoon this year. The inside of her house was pretty pure Sixties Bohemian Intellectual. The Jacobs had removed some interior walls, so the first floor kitchen, dining room, and living room all flowed together. There was a great groaning wall of books, of course, and other surfaces were still painted the bright colors of the Go-Go era, when the family moved there. Near the bay window in front she displayed a native-American breastplate and her tablecloth in the dining room was a bold aboriginal print. There were drawings by her daughter, who lives in the backwoods of British Columbia, and lots of family photographs everywhere. Her office is a spare bedroom upstairs in the rear where it is especially quiet.

Ms. Jacobs still looks like that famous photo of her taken in the White Horse tavern in the West Village three dacades ago (a cigarette in one hand and a beer mug in the other). Her hair is the same silvery helmet with bangs, and her big eyeglasses emphasize her role as the ever-penetrating observer, with an impish overlay. She still likes to drink beer, and worked on a bottle of some dark local brew while we talked. She was alert, humorous, and apart from her injured knee seemed to be in fine condition.

Jane Jacobs grew up in Scranton, Pa., the daughter of a doctor and a school-teacher. She worked briefly as a reporter for the Scranton Tribune and then went to New York City, where she plugged away as a freelance writer until she landed a staff job with Architectural Forum in 1952. The job gave her a priviliged perch for observing the fiasco of post-war "urban renewal" and all its evil consequences. A decade later, she seized the imagination of an otherwise extremely complacent era when she declared so starkly in "The Death and Life of Great American Cities" that the experiment of Modernist urbanism was a thumping failure, and urged Americans to look instead to the traditional wisdom of the vernacular city and its fundamental unit, the street, instead of the establishment gurus. This was the first shot in a war that has been ongoing ever since. Decades later, her book become one of the seminal texts of the New Urbanism (along with the books of Lewis Mumford, who was at first a great supporter of hers and then an adversary when she criticized the Garden Cities movement that was so dear to him. . . but she will tell you about that quarrel herself.)

Ms. Jacobs suffered the opprobrium of the architectural and planning establishment for decades. They never recovered from her frontal assualt, including the sinister Robert Moses, who fell from power not long after he tangled with Ms. Jacobs on his proposal to run a freeway through Washington Square. One can say pretty definitively that she won the battle and the war, though the enormous inertia of American culture still acts as a drag on a genuine civic revival here. By the mid 1960s, her interests and writings broadened to take in the wider issues of economics and social relations, and by force of intellect she compelled the cultural elite to take seriously this untrained female generalist -- and wonderful prose stylist -- who had the nerve to work out large ideas on her own. Naturally, her books are now part of the curriculum.

We were steated at her dining room table for the course of this dialog, which has been edited a follows.

James Howard Kunstler (JHK) and Jane Jacobs (JJ)

JHK: What was it like for you coming to New York for the first time?

JJ: The first time I was ever in New York I was twelve years old. Let’s see I was born in 1916 so that would have been 1928 and it was before the crash. And I went with the parents of some friends and I guess we drove there. I guess the car was left in New Jersey. Anyway we got over on a ferry and we landed in downtown Manhattan. And I was flabbergasted at all the people in the streets. It was lunchtime in Wall Street in 1928 and that was…the city was just jumping. It was all full of people.

JHK: What year did you come there to live full-time?

JJ: That was, let’s see, ’34.

JHK: And what was your impression then? Was it a different…ah?

JJ: Well, yes it was different…because it was the difference between the high tide of the twenties prosperity and depression.

JHK: Was it palpable—could you really feel it and see it?

JJ: I could see contrasts, even from that first visit. Especially downtown. There were a lot more unemployed people in ’34 and there weren’t any in ’28.

JHK: Where did you find yourself going when you got to New York in the twenties. Did you just naturally find your way into Greenwich Village or did you start elsewhere?

JJ: My sister was already there. She was six years older than I was.

JHK: What was she doing?

JJ: She had studied interior design in Philadelphia—the Pennsylvania Museum School of Industrial Arts—I don’t think it exists anymore, but it was a good school. And so she came to New York hoping to get a job as a designer. But she couldn’t in the Depression. She got a job in a department store—Abraham and Strauss in Brooklyn, in the home furnishings department—that was the nearest thing she could get to her line. So I came along and she had been living on East 94th Street. Imagine, she and several other girls they lived in this house. It was a rooming house. It was very cheap rent. This is a very expensive area now.

JHK: Yeah, but the Jacob Rupert Brewery was up there until 1957. I lived on 93rd Street for a while myself. You would go through these brewing cycles when the neighborhood would be full of this smell of beer and hops.

JJ: Well she moved to Brooklyn, Brooklyn Heights, to a house that is not there anymore. It was a six-story walk-up and we lived on the top floor. It was a nice neighborhood though. It was near the St. George Hotel. It was before the highways went in there. So I would go looking for a job every morning. I would look in the newspaper and see what seemed likely and which employment agencies were advertising. I would usually walk over the Brooklyn Bridge into Manhattan because we were there near the Brooklyn Bridge. And then after I was turned down for all these jobs I would spend the rest of the day looking around where I had ended up. Or if I had ended up in a place where I had already looked around I would spend a nickel on the subway and go arbitrarily to some other stop and look around there. So I was roaming the city in the afternoons and applying for jobs in the morning. And one day I found myself in a neighborhood I just liked so much…it was one of those times I had put a nickel in and just invested something. And where did I get out? I just liked the sound of the name: Christopher Street — so I got out at Christopher Street, and I was enchanted with this neighborhood, and walked around it all afternoon and then I rushed back to Brooklyn. And I said, "Betty I found out where we have to live." And she said, "Where is it?" And I said, "I don’t know, but you get in the subway and you get out at a place called Christopher Street." So we went to look for a place where you got out of the subway at Christopher Street.

JHK: What did you find?

JJ: We found an apartment on Martin Street. I had a job by then, I guess we didn’t go looking immediately. And one of those mornings I hit the jackpot and got a job.

JHK: And what was it?

JJ: It was in a candy manufacturing company as a secretary.

JHK: So you did a bit of secretarial stuff.

JJ: Oh I did secretarial work for about five years.

JHK: Did you have any inkling that you were going to be a professional intellectual?

JJ: No, but I did have an inkling that I was going to be a writer. That was my intention.

JHK: Did you hang out with any of the Greenwich Village bohemians of the day?

JJ: No.

JHK: Did you see them around?

JJ: Yes, I guess I did. But I didn’t have any money to hang out in bars. We were living very close to the bone. In fact there were considerable times when Betty and I were living on Pablum because my father was a doctor and he told us that the most important thing was to keep our health and that we should not skimp on nourishing food. So when we didn’t even have any money for nourishing food we knew that Pablum for babies was full of nourishment and we also knew that bananas were good and milk. And so that’s what we would live on until we got a little more money. It was a powder that you mixed up and it was not good.

JHK: Sounds a little grim.

JJ: Yeah, but we had a good time and we didn’t go for long periods on this and we did keep our health and it was nourishing food.

JHK: Well, yeah, if you think in the sense that astronauts eat stuff out of tubes.

JJ: That’s right. I don’t want to give you the impression that we lived for long periods like this. Maybe toward the end of the week…

JHK: Tell me how you found yourself venturing into the life of a public intellectual.

JJ: Well, I began writing articles right away. And this combined with my afternoons I had spent looking at different areas of the city, and I wrote a series of articles that Vogue bought about different areas of the city. The fur district—you see they had something to do with the kind of things that the readers of Vogue were presumably interested in—although I didn’t know who I was writing these for when I wrote them. But then I saw what I was doing and I tried this.

JHK: It must have been exciting to sell magazine articles.

JJ: It was. I got $40 a piece for them.

JHK: That was a lot of money then.

JJ: A lot of money! -- because at the job I had, I got twelve dollars a week. Of course I didn’t sell many of these. I wrote about the fur district, the flower district, the leather district, let me see, the diamond district, which was down on the Bowery then. So I was trying to be a writer all the time. And eventually, not right away, but later on, I got to write Sunday feature stories for the Herald Tribune. But I didn’t get paid as well for those. But then I wrote a few things for Q Magazine, oh about manhole covers, how you could tell what was running underneath you by reading what was on the manhole covers.

JHK: You hadn't gone to college, by the way?

JJ: Well, I hadn’t wanted to go to school after I finished high school. I was so glad to get out.

JHK: Were you a troublemaker?

JJ: Yes.

JHK: I sympathize—I didn’t like school either.

JJ: I would break paper bags in the lunch room and make explosions and I would be sent to the principal, and that kind of thing. I was not really a troublesome person. I was not really destructive in any way, but I was mischievous.

JHK: Were you a comedian?

JJ: Sort of, yeah.

JHK: Naturally I was reviewing some of your books the last couple of weeks. They stand up so beautifully. One would have to suppose at the time that you wrote The Death and Life of Great American Cities that you were pretty ticked off at American culture. For instance you wrote, "It may be that we have become so feckless as a people that we no longer care how things work but only the kind of quick, easy outer impression that they get." And you wrote that around 1960 or the late 50s.

JJ: Yeah, I was working on that book…I began in 1958 and finished it in 1960.

JHK: Well, it seems to me that American life has changed very little in that regard. In fact I actually go around on the lecture circuit telling audiences that we are a wicked people who deserved to be punished…and I am not religious. So what was your state of mind. Were you ticked off at American culture? Was it the culture of civic design? Was it Robert Moses? Was it some combination of those things? Was it the Bauhaus? What was it that was getting under your skin in those days?

JJ: Well what was getting immediately under my skin was this mad spree of deceptions and vandalism and waste that was called urban renewal. And the way it had been adopted like a fad and people were so mindless about it and so dishonest about what was being done. That’s what ticked me off, because I was working for an architectural magazine and I saw all this first hand and I saw how the most awful things were being excused.

JHK: You must have already been acquainted with things like Corbusier’s "Radiant City" and some of the schemes from the 20s and the Bauhaus. By this time Gropius had become installed at Harvard and Mies Van der Rohe…

JJ: I didn’t have any feeling about these one way or another. It was just another way of building. I didn’t have any ideology, in short. When I wrote that about "we may become so feckless as a people" I had no ideology.

JHK: But you were angry.

JJ: But I was angry at what was happening and what I could see first hand was happening. It all came to me first hand. I didn’t have any abstractions about American culture. In the meantime I had gone a couple years to Columbia but I hadn’t been taking classes in American Culture. I sat in on one in Sociology for a while and I thought it was so dumb. But I had a wonderful time with various science courses and other things that I took there. And I have always been grateful for what I learned in those couple of years. But I’ll tell you something that had been worrying me: I liked to visit museums that showed old time machines and tools and so forth. And I was very struck. There was one of these museums in Fredricksburg, Virginia, which was my father’s hometown. He was from a farm near Fredricksburg. I was very struck with the way these old machines were painted. They were painted in a way to show you how they worked. Evidently the makers of them and the users of them cared about how these things were put together and how what moved what so that other people would be interested in them. I used to like to go to the railroad station in Scranton and watch the locomotives. I got a big bang out of seeing the locomotives and those pistons that moved the wheels. And that interested me how they were moved by those things and then the connection of that with the steam inside and so on. In the meantime, along had come these locomotives that had skirts on them and you couldn’t see how the wheels moved and that disturbed me. And it was supposed to be for some aerodynamics reason, but that didn’t make sense. And I began to notice how everything was being covered up and I thought that was kinda sick.

JHK: So the whole streamlining of the 30s bugged you?

JJ: That’s right. So I remember very well what was in my mind "that we become so feckless as a people that we no longer care how things work." It was those skirts on the locomotives that I was thinking about and how this had extended to "we didn’t care how our cities worked anymore." We didn’t care to show where the entrances were in buildings and things like that. That’s all I meant. It was not some enormous comment on abstract American society. And I thought this is a real decadence of some sort.
Toronto always gives me the strange sensation of being in a parallel universe, one in which you might be in a great American city -- say, Detroit, St. Louis, or Cleveland -- if only we Americans had not gone through the cultural convulsions of the post-war era and tossed our cities into the dumpster of history. Hollywood uses Toronto constantly as a set for Anycity, USA, but the truth is that Toronto is in much better shape than almost any American city.

In Toronto you see office buildings every bit as hideous and grandiose as in America, and the same overly broad streets, poorly furnished with medians, trees, and other urban decor considered impediments to express motoring. But, despite these shortcomings, Toronto is alive. Its downtown streets are teeming with people. Multitudes of them actually live in the city center in apartment buildings and houses, and the sidewalks are jammed, in some places until late at night. The public realm, where the buildings meet the sidewalk, is activated. This demonstrates that a New World city can remain alive despite the formal idiocies of Modernist urban theory and practice. Toronto is what many American cities wish they could be.

Jane Jacobs, the American urbanist, author of "The Death and Life of Great American Cities," "Cities and the Wealth of Nations," "Systems of Survival," and other books, lives here. She will tell you in her own words below how she happened to land in Toronto.. I found her at home, in the Annex neighborhood on a serene residential street off Bloor, the main drag of the University of Toronto, which in that vicinity resembles the Eighth Street shopping district of Greenwich Village, where Ms. Jacobs lived and wrote so famously years ago. There are the boutiques and the bistros of all nations, along with copy shops, oriental groceries, and shoe-repair joints. Ms. Jacobs home, a block or so up from Bloor, is a Toronto "double," a type of semi-detached brick row house with a generous neo-classical white wooden porch, a Dutch-style gable-end, and ivy growing up the wall. It is still a bohemian street, with some houses in better shape than others, including some student slums, looking all in all casually dignified.

Ms. Jacobs lives here alone now, her architect-husband having passed away in in 1998. One son and his family live right down the block, though, and see her often. She is 83 now, and was a little incapacitated from knee surgery when I stopped by on a bright September afternoon this year. The inside of her house was pretty pure Sixties Bohemian Intellectual. The Jacobs had removed some interior walls, so the first floor kitchen, dining room, and living room all flowed together. There was a great groaning wall of books, of course, and other surfaces were still painted the bright colors of the Go-Go era, when the family moved there. Near the bay window in front she displayed a native-American breastplate and her tablecloth in the dining room was a bold aboriginal print. There were drawings by her daughter, who lives in the backwoods of British Columbia, and lots of family photographs everywhere. Her office is a spare bedroom upstairs in the rear where it is especially quiet.

Ms. Jacobs still looks like that famous photo of her taken in the White Horse tavern in the West Village three dacades ago (a cigarette in one hand and a beer mug in the other). Her hair is the same silvery helmet with bangs, and her big eyeglasses emphasize her role as the ever-penetrating observer, with an impish overlay. She still likes to drink beer, and worked on a bottle of some dark local brew while we talked. She was alert, humorous, and apart from her injured knee seemed to be in fine condition.

Jane Jacobs grew up in Scranton, Pa., the daughter of a doctor and a school-teacher. She worked briefly as a reporter for the Scranton Tribune and then went to New York City, where she plugged away as a freelance writer until she landed a staff job with Architectural Forum in 1952. The job gave her a priviliged perch for observing the fiasco of post-war "urban renewal" and all its evil consequences. A decade later, she seized the imagination of an otherwise extremely complacent era when she declared so starkly in "The Death and Life of Great American Cities" that the experiment of Modernist urbanism was a thumping failure, and urged Americans to look instead to the traditional wisdom of the vernacular city and its fundamental unit, the street, instead of the establishment gurus. This was the first shot in a war that has been ongoing ever since. Decades later, her book become one of the seminal texts of the New Urbanism (along with the books of Lewis Mumford, who was at first a great supporter of hers and then an adversary when she criticized the Garden Cities movement that was so dear to him. . . but she will tell you about that quarrel herself.)

Ms. Jacobs suffered the opprobrium of the architectural and planning establishment for decades. They never recovered from her frontal assualt, including the sinister Robert Moses, who fell from power not long after he tangled with Ms. Jacobs on his proposal to run a freeway through Washington Square. One can say pretty definitively that she won the battle and the war, though the enormous inertia of American culture still acts as a drag on a genuine civic revival here. By the mid 1960s, her interests and writings broadened to take in the wider issues of economics and social relations, and by force of intellect she compelled the cultural elite to take seriously this untrained female generalist -- and wonderful prose stylist -- who had the nerve to work out large ideas on her own. Naturally, her books are now part of the curriculum.

We were steated at her dining room table for the course of this dialog, which has been edited a follows.

James Howard Kunstler (JHK) and Jane Jacobs (JJ)

JHK: What was it like for you coming to New York for the first time?

JJ: The first time I was ever in New York I was twelve years old. Let’s see I was born in 1916 so that would have been 1928 and it was before the crash. And I went with the parents of some friends and I guess we drove there. I guess the car was left in New Jersey. Anyway we got over on a ferry and we landed in downtown Manhattan. And I was flabbergasted at all the people in the streets. It was lunchtime in Wall Street in 1928 and that was…the city was just jumping. It was all full of people.

JHK: What year did you come there to live full-time?

JJ: That was, let’s see, ’34.

JHK: And what was your impression then? Was it a different…ah?

JJ: Well, yes it was different…because it was the difference between the high tide of the twenties prosperity and depression.

JHK: Was it palpable—could you really feel it and see it?

JJ: I could see contrasts, even from that first visit. Especially downtown. There were a lot more unemployed people in ’34 and there weren’t any in ’28.

JHK: Where did you find yourself going when you got to New York in the twenties. Did you just naturally find your way into Greenwich Village or did you start elsewhere?

JJ: My sister was already there. She was six years older than I was.

JHK: What was she doing?

JJ: She had studied interior design in Philadelphia—the Pennsylvania Museum School of Industrial Arts—I don’t think it exists anymore, but it was a good school. And so she came to New York hoping to get a job as a designer. But she couldn’t in the Depression. She got a job in a department store—Abraham and Strauss in Brooklyn, in the home furnishings department—that was the nearest thing she could get to her line. So I came along and she had been living on East 94th Street. Imagine, she and several other girls they lived in this house. It was a rooming house. It was very cheap rent. This is a very expensive area now.

JHK: Yeah, but the Jacob Rupert Brewery was up there until 1957. I lived on 93rd Street for a while myself. You would go through these brewing cycles when the neighborhood would be full of this smell of beer and hops.

JJ: Well she moved to Brooklyn, Brooklyn Heights, to a house that is not there anymore. It was a six-story walk-up and we lived on the top floor. It was a nice neighborhood though. It was near the St. George Hotel. It was before the highways went in there. So I would go looking for a job every morning. I would look in the newspaper and see what seemed likely and which employment agencies were advertising. I would usually walk over the Brooklyn Bridge into Manhattan because we were there near the Brooklyn Bridge. And then after I was turned down for all these jobs I would spend the rest of the day looking around where I had ended up. Or if I had ended up in a place where I had already looked around I would spend a nickel on the subway and go arbitrarily to some other stop and look around there. So I was roaming the city in the afternoons and applying for jobs in the morning. And one day I found myself in a neighborhood I just liked so much…it was one of those times I had put a nickel in and just invested something. And where did I get out? I just liked the sound of the name: Christopher Street — so I got out at Christopher Street, and I was enchanted with this neighborhood, and walked around it all afternoon and then I rushed back to Brooklyn. And I said, "Betty I found out where we have to live." And she said, "Where is it?" And I said, "I don’t know, but you get in the subway and you get out at a place called Christopher Street." So we went to look for a place where you got out of the subway at Christopher Street.

JHK: What did you find?

JJ: We found an apartment on Martin Street. I had a job by then, I guess we didn’t go looking immediately. And one of those mornings I hit the jackpot and got a job.

JHK: And what was it?

JJ: It was in a candy manufacturing company as a secretary.

JHK: So you did a bit of secretarial stuff.

JJ: Oh I did secretarial work for about five years.

JHK: Did you have any inkling that you were going to be a professional intellectual?

JJ: No, but I did have an inkling that I was going to be a writer. That was my intention.

JHK: Did you hang out with any of the Greenwich Village bohemians of the day?

JJ: No.

JHK: Did you see them around?

JJ: Yes, I guess I did. But I didn’t have any money to hang out in bars. We were living very close to the bone. In fact there were considerable times when Betty and I were living on Pablum because my father was a doctor and he told us that the most important thing was to keep our health and that we should not skimp on nourishing food. So when we didn’t even have any money for nourishing food we knew that Pablum for babies was full of nourishment and we also knew that bananas were good and milk. And so that’s what we would live on until we got a little more money. It was a powder that you mixed up and it was not good.

JHK: Sounds a little grim.

JJ: Yeah, but we had a good time and we didn’t go for long periods on this and we did keep our health and it was nourishing food.

JHK: Well, yeah, if you think in the sense that astronauts eat stuff out of tubes.

JJ: That’s right. I don’t want to give you the impression that we lived for long periods like this. Maybe toward the end of the week…

JHK: Tell me how you found yourself venturing into the life of a public intellectual.

JJ: Well, I began writing articles right away. And this combined with my afternoons I had spent looking at different areas of the city, and I wrote a series of articles that Vogue bought about different areas of the city. The fur district—you see they had something to do with the kind of things that the readers of Vogue were presumably interested in—although I didn’t know who I was writing these for when I wrote them. But then I saw what I was doing and I tried this.

JHK: It must have been exciting to sell magazine articles.

JJ: It was. I got $40 a piece for them.

JHK: That was a lot of money then.

JJ: A lot of money! -- because at the job I had, I got twelve dollars a week. Of course I didn’t sell many of these. I wrote about the fur district, the flower district, the leather district, let me see, the diamond district, which was down on the Bowery then. So I was trying to be a writer all the time. And eventually, not right away, but later on, I got to write Sunday feature stories for the Herald Tribune. But I didn’t get paid as well for those. But then I wrote a few things for Q Magazine, oh about manhole covers, how you could tell what was running underneath you by reading what was on the manhole covers.

JHK: You hadn't gone to college, by the way?

JJ: Well, I hadn’t wanted to go to school after I finished high school. I was so glad to get out.

JHK: Were you a troublemaker?

JJ: Yes.

JHK: I sympathize—I didn’t like school either.

JJ: I would break paper bags in the lunch room and make explosions and I would be sent to the principal, and that kind of thing. I was not really a troublesome person. I was not really destructive in any way, but I was mischievous.

JHK: Were you a comedian?

JJ: Sort of, yeah.

JHK: Naturally I was reviewing some of your books the last couple of weeks. They stand up so beautifully. One would have to suppose at the time that you wrote The Death and Life of Great American Cities that you were pretty ticked off at American culture. For instance you wrote, "It may be that we have become so feckless as a people that we no longer care how things work but only the kind of quick, easy outer impression that they get." And you wrote that around 1960 or the late 50s.

JJ: Yeah, I was working on that book…I began in 1958 and finished it in 1960.

JHK: Well, it seems to me that American life has changed very little in that regard. In fact I actually go around on the lecture circuit telling audiences that we are a wicked people who deserved to be punished…and I am not religious. So what was your state of mind. Were you ticked off at American culture? Was it the culture of civic design? Was it Robert Moses? Was it some combination of those things? Was it the Bauhaus? What was it that was getting under your skin in those days?

JJ: Well what was getting immediately under my skin was this mad spree of deceptions and vandalism and waste that was called urban renewal. And the way it had been adopted like a fad and people were so mindless about it and so dishonest about what was being done. That’s what ticked me off, because I was working for an architectural magazine and I saw all this first hand and I saw how the most awful things were being excused.

JHK: You must have already been acquainted with things like Corbusier’s "Radiant City" and some of the schemes from the 20s and the Bauhaus. By this time Gropius had become installed at Harvard and Mies Van der Rohe…

JJ: I didn’t have any feeling about these one way or another. It was just another way of building. I didn’t have any ideology, in short. When I wrote that about "we may become so feckless as a people" I had no ideology.

JHK: But you were angry.

JJ: But I was angry at what was happening and what I could see first hand was happening. It all came to me first hand. I didn’t have any abstractions about American culture. In the meantime I had gone a couple years to Columbia but I hadn’t been taking classes in American Culture. I sat in on one in Sociology for a while and I thought it was so dumb. But I had a wonderful time with various science courses and other things that I took there. And I have always been grateful for what I learned in those couple of years. But I’ll tell you something that had been worrying me: I liked to visit museums that showed old time machines and tools and so forth. And I was very struck. There was one of these museums in Fredricksburg, Virginia, which was my father’s hometown. He was from a farm near Fredricksburg. I was very struck with the way these old machines were painted. They were painted in a way to show you how they worked. Evidently the makers of them and the users of them cared about how these things were put together and how what moved what so that other people would be interested in them. I used to like to go to the railroad station in Scranton and watch the locomotives. I got a big bang out of seeing the locomotives and those pistons that moved the wheels. And that interested me how they were moved by those things and then the connection of that with the steam inside and so on. In the meantime, along had come these locomotives that had skirts on them and you couldn’t see how the wheels moved and that disturbed me. And it was supposed to be for some aerodynamics reason, but that didn’t make sense. And I began to notice how everything was being covered up and I thought that was kinda sick.

JHK: So the whole streamlining of the 30s bugged you?

JJ: That’s right. So I remember very well what was in my mind "that we become so feckless as a people that we no longer care how things work." It was those skirts on the locomotives that I was thinking about and how this had extended to "we didn’t care how our cities worked anymore." We didn’t care to show where the entrances were in buildings and things like that. That’s all I meant. It was not some enormous comment on abstract American society. And I thought this is a real decadence of some sort.
User avatar
nate0023
 
Posts: 50
Joined: Sat Nov 22, 2008 12:59 pm

Re: Featured Level of The Week

Postby nate0023 on Wed Feb 16, 2011 9:26 am

The stateless nature of HTTP requires organisations and solution developers to find other methods of uniquely tracking a visitor through a web-base application. Various methods of managing a visitor’s session have been proposed and used, but the most popular method is through the use of unique session IDs. Unfortunately, in too many cases organisations have incorrectly applied session ID management techniques that have left their “secure” application open to abuse and possible hijacking. This document reviews the common assumptions and flaws organisations have made and proposes methods to make their session management more secure and robust.

Understanding the Situation
Most organisations now have substantial investments in their online Internet presences. For major financial institutions and retailers, the Internet provides both a cost effective means of presenting their services and products to customer, and a method of delivering a personalised 24-7 presence. In almost all cases, the preferred method of delivering these services is over common HTTP. Due to the way this protocol works, there is no inbuilt facility to uniquely identify or track a particular customer (or session) within an application – thus the connection between the customer’s web-browser and the organisations web-service is referred to as stateless. Therefore, organisations have been forced to adopt custom methods of managing client sessions if they wish to maintain state.

The most common method of tracking a customer through a web site is by assigning a unique session ID – and having this information transmitted back to the web server with every request. Unfortunately, should an attacker guess or steal this session ID information, it is normally a trivial exercise to hijack and manipulate another user’s active session.

An important aspect of correctly managing state information through session IDs relates directly to authentication processes. While it is possible to insist that a client using an organisations web application provide authentication information for each “restricted” page or data submission, it would soon become tedious and untenable. Thus session IDs are not only used to follow clients throughout the web application, they are also used to uniquely identify an authenticated user – thereby indirectly regulating access to site content or information.

The methods available to organisations for successfully managing sessions and preventing hijacking type attacks are largely dependant upon the answers to a number of critical questions:

1.Where and how often are legitimate clients expected to utilise the web-based application?
2.At what stage does the organisation really need to manage the state of a client’s session?
3.What level of damage could be done to the legitimate client should an attacker be able to impersonate and hijack their account?
4.How much time is someone likely to invest in breaking the session management method?
5.How will the application identify or respond to potential or real hijacking attempts?
6.What is the significance to application usability should it be necessary to use an encrypted version of HTTP (HTTPS)?
7.What would be the cost to the organisations reputation should information about a security flaw in any session management be made public?
Finding answers to these questions will enable the organisation to evaluate the likelihood and financial risk of an inappropriate or poorly implemented session management solution.

Maintaining State
Typically, the process of managing the state of a web-based client is through the use of session IDs. Session IDs are used by the application to uniquely identify a client browser, while background (server-side) processes are used to associate the session ID with a level of access. Thus, once a client has successfully authenticated to the web application, the session ID can be used as a stored authentication voucher so that the client does not have to retype their login information with each page request.

Organisations application developers have three methods available to them to both allocate and receive session ID information:

•Session ID information embedded in the URL, which is received by the application through HTTP GET requests when the client clicks on links embedded with a page.
•Session ID information stored within the fields of a form and submitted to the application. Typically the session ID information would be embedded within the form as a hidden field and submitted with the HTTP POST command.
•Through the use of cookies.
Each method has certain advantages and disadvantages, and one may be more appropriate than another. Selection of one method over another is largely dependant upon the type of service the web application is to deliver and the intended audience. Listed below is a more detailed analysis of the three methods. It is important that an organisations system developers understand the limitations and security implications of each delivery mechanism.

URL Based Session ID's
Session ID information embedded in the URL, which is received by the application through HTTP GET requests when the client clicks on links.
Example: http://www.example.com/news.asp?article ... IE60012219

Advantages:
•Can be used even if the client web-browser has high security settings and has disabled the use of cookies.
•Access to the information resource can be sent by the client to other users by providing them with a copy of the URL.
•If the Session ID is to be permanently associated with the client-browser and their computer, it is possible for the client to “Save as a favourite”.
•Depending upon the web browser type, URL information is commonly sent in the HTTP REFERER field. This information can be used to ensure a site visitor has followed a particular path within the web application, and subsequently used to identify some common forms of attack.

Disadvantages:
•Any person using the same computer will be able to review the browser history file or stored favourites and follow the same URL.
•URL information will be logged by intermediary systems such as firewalls and proxy servers. Thus anyone with access to these logs could observe the URL and possibly use the information in an attack.
•It is a trivial exercise for anyone to modify the URL and associated session ID information within a standard web browser. Thus, the skills and equipment necessary to carry out the attack are minimal – resulting in more frequent attacks.
•When a client navigates to a new web site, the URL containing the session information can be sent to the new site via the HTTP REFERER field.

Hidden Post Fields
Session ID information stored within the fields of a form and submitted to the application. Typically the session ID information would be embedded within the form as a hidden field and submitted with the HTTP POST command.
Example: Embedded within the HTML of a page –

<FORM METHOD=POST ACTION=”/cgi-bin/news.pl”>
<INPUT TYPE=”hidden” NAME=”sessionid” VALUE=”IE60012219”>
<INPUT TYPE=”hidden” NAME=”allowed” VALUE=”true”>
<INPUT TYPE=”submit” NAME=”Read News Article”>

Advantages:
•Not as obvious as URL embedded session information, and consequently requires a slightly higher skill level for an attacker to carry out any manipulation or hijacking.
•Allows a client to safely store or transmit URL information relating to the site without providing access to their session information.
•Can also be used even if the client web-browser has high security settings and has disabled the use of cookies.

Disadvantages:
•While it requires a slightly higher skill level to perform, attacks can be carried out using commonly available tools such as Telnet or via personal proxy services.
•The web application page content tends to be more complex – relying upon embedded form information, client-side scripting such as JavaScript, or embedded within active content such as Macromedia Flash. In addition - pages tend to be larger, requiring more time for the client to download and thus perceiving the site as slower and more unresponsive.
•Due to poor coding practices, a failure to check the submission type (i.e. GET or POST) at the server side may allow the POST content to be reformed into a URL that could be submitted via the HTTP GET method.

Cookies
Each time a client web browser accesses content from a particular domain or URL, if a cookie exists, the client browser is expected to submit any relevant cookie information as part of the HTTP request. Thus cookies can be used to preserve knowledge of the client browser across many pages and over periods of time. Cookies can be constructed to contain expiry information and may last beyond a single interactive session. Such cookies are referred to as “persistent cookies”, and are stored on the client browsers hard-drive in a location defined by the particular browser or operating system (e.g. c:\documents and settings\clientname\cookies for Internet Explorer on Windows XP). By omitting expiration information from a cookie, the client browser is expected to store the cookie only in memory. These “session cookies” should be erased when the browser is closed.
Example: Within the plain text of the HTTP server response –

Set-Cookie: sessionID=”IE60012219”; path=”/”; domain=”www.example.com”; expires=”2003-06-01 00:00:00GMT”; version=0

Advantages:
•Careful use of persistent and session type cookies can be used to regulate access to the web application over time.
•More options are available for controlling session ID timeouts.
•Session information is unlikely to be recorded by intermediary devices.
•Cookie functionality is built in to most browsers. Thus no special coding is required to ensure session ID information is embedded within the pages served to the client browser.

Disadvantages:
•An increasingly common security precaution with web browsers is to disable cookie functionality. Thus web applications dependant upon the cookie function will not work for “security conscious” users.
•As persistent cookies exist as text files on the client system, they can be easily copied used on other systems. Depending on the hosts file access permissions, other users of the host may steal this information and impersonate the user.
•Cookies are limited in size, and are unsuitable for storing complex arrays of state information.
•Cookies will be sent with very page and file requested by the browser within the domain defined by the SET-COOKIE.



The Session ID
An important aspect of managing state within the web application is the “strength” of the session ID itself. As the session ID is often used to track an authenticated user through the application, organisations must be aware that this session ID must fulfil a particular set of criteria if it is not to be compromised through predictive or brute-force type attacks. The two critical characteristics of a good session ID are randomness and length.

Session ID Randomness

It is important that the session ID is unpredictable and the application utilises a strong method of generating random ID’s. It is vital that a cryptographically strong algorithm is used to generate a unique session ID for an authenticated user. Ideally the session ID should be a random value. Do not use linear algorithms based upon predictable variables such as date, time and client IP address.

To this end, the session ID should fulfil the following criteria:

•It must look random – i.e. it should pass statistical tests of randomness.
•It must be unpredictable – i.e. it must be infeasible to predict what the next random value will be, given complete knowledge of the computational algorithm or hardware generating the ID and all previous ID’s.
•It cannot be reliably reproduced – i.e. if the ID generator is used twice with exactly the same input criteria, the result will be an unrelated random ID.
Session ID Length

It is important that the session ID be of a sufficient length to make it infeasible that a brute force method could be used to successfully derive a valid ID within a usable timeframe. Given current processor and bandwidth limitations, session ID’s consisting of over 50 random characters in length are recommended – but make them longer if the opportunity exists.

The actual length of the session ID is dependant upon a number of factors:

•Speed of connection – i.e. there is typically a big difference between Internet client, B2B and internal network connections. While an Internet client will typically have less than a 512 kbps connection speed, an internal user may be capable of connecting to the application server at 200 times faster. Thus an internal user could potentially obtain a valid session ID in 1/200th of the time.
•Complexity of the ID – i.e. what values and characters are used within the session ID? Moving from numeric values (0-9) to a case-sensitive alpha-numeric (a-z, A-Z, 0-9) range means that, for the same address space, the session ID becomes much more difficult to predict. For example, the numeric range of 000000-999999 could be covered by 0000-5BH7 using a case-sensitive alpha-numeric character set.


Session Hijacking
As session ID’s are used to uniquely identify and track a web application user, any attacker who obtains this unique identifier is potentially able to submit the same information and impersonate someone else – this class of attack is commonly referred to as Session Hijacking. Given the inherent stateless nature of the HTTP (and HTTPS) protocol, the process of masquerading as an alternative user using a hijacked session ID is trivial.

An attacker has at his disposal three methods for gaining session ID information – observation, brute force and misdirection of trust.

Observation

By default all HTTP traffic crosses the wire in an unencrypted, plain text, mode. Thus, any device with access to the same wire or shared network devices is capable of “sniffing” the traffic and recording session ID information (not to mention user authentication information such as user names and passwords). In addition, many perimeter devices automatically log aspects of HTTP traffic – in particular the URL information.

A simple security measure to prevent “sniffing” or logging of confidential URL information is to use the encrypted form of HTTP – HTTPS.

Brute Force

If the session ID information is generated or presented in such a way as to be predictable, it is very easy for an attacker to repeatedly attempt to guess a valid ID. Depending upon the randomness and the length of the session ID, this process can take as little time as a few seconds.

In ideal circumstances, an attacker using a domestic DSL line can potentially conduct up to as many as 1000 session ID guesses per second. Thus it is very important to have a sufficiently complex and long session ID to ensure that any likely brute forcing attack will take many hundreds of hours to predict.

A paper by David Endler on the processes involved in brute forcing session ID’s should be sought by readers requiring background information on this process.

Misdirected trust

In ideal circumstances, a client’s web browser would only ever disclose confidential session ID information to a single, trusted site. Unfortunately, there are numerous instances when this is not the case. For example – the HTTP REFERER field will send the full URL, and in some applications this URL may contain session ID information.

Another popular method, utilising common trust relationship flaws, are HTML embedded and Cross-site Scripting (CSS or sometimes XSS) attacks. Through clever embedding of HTML code or scripting elements, it is possible to steal session ID information – even if it is held within the URL, POST fields and cookies. Readers needing more information about this class of attack should review a copy of “HTML Code Injection and Cross-site scripting”.



Common Failings
While web based session management is important for tracking users and their navigation throughout an application, the most critical use is to maintain the state information of an authenticated user as he carries out his allowed functions. For online banking and retail environments, using an appropriately strong session management method is crucial to the success of the organisation.

In the past, I have had the opportunity to investigate session handling techniques for many of my client’s business critical online applications. Based upon these investigations, this section details some of the most common failings and assumptions that have been made.

Predictable Session ID’s

The most common flaw in session ID usage has always been predictability. As discussed earlier, the two causes are a lack of randomness, or length, or both.

•Sequential allocation of Session ID’s – Each visitor to the site is allocated a session ID in sequential order. Thus, by observing your own session ID information, the simple practice of replacing it with another value a few iterations up or down will allow the attacker to impersonate another user.
•Session ID values are too short – The full range of valid session ID’s could be covered during an automated attack before there is time for the session to expire.
•Common hashing techniques – While many commercial web services have built in functions for calculating hashed information, these mechanisms are well known and available for reproduction. A hashing function will indeed create a session ID value that appears to be unique and great care should be taken to ensure that predicable information is not used in the generation of the hash. For example, there have been cases where the “unique” hash was based upon the local system time, and the IP address of the connecting host. Using the same hashing function, the attacker would be able to pre-calculate a large number of time dependant hashes for a popular internet portal or proxy service (i.e. AOL), and use them to brute force any existing session from that service.
•Session Obfuscation – The use of a custom method of obscuring data and using it for session management. It is never a sound idea to include client or other confidential information within a session ID. For example, some organisations have even tried encoding the user’s name and password within the session ID using a shifted Unicode and hexadecimal representation of the information.
Insecure Transmission

For banking and retailing applications it is crucial that all confidential material and session information be transmitted securely and not vulnerable to observation or replay attacks. Unfortunately many commercial packages have failed in the past to secure the integrity of their session management due to insecure transmission.

•Use Encryption when sending session information – As mentioned earlier, there are a lot of instances whereby a users connection to the application server will be logged if not sent over an encrypted channel, such as HTTPS. This is particularly important for applications that require high a degree of confidentiality. If using the cookie method for managing session IDs, organisations should note that the client browser will submit the session ID with every request (this includes pages and graphics) and may even submit it to other servers within the same domain – which may or may not be done over a secure data channel.
•Use different session ID’s when shifting between secure and insecure application components – As a new user navigates the web application as a “guest”, use a different session ID than what would be allocated in the secure part of the application. Never use the same session ID information in the authenticated and unauthenticated sections of the web application. Again, ensure that the session ID to be used in the secure part of the web application is not predictable and based on the previous ID.
Length of Session Validity

For secure applications all session information should be time limited and allow for client-side cancellation or server-side revocation.

•Client Cancellation – Many web applications fail to allow for client-side cancellation such as “log-out”. If the intention is to allow users to interact with the application from anywhere, including Internet Cafes, organisations need to be aware that other users can use the same machine and trawl through the “history” and cached page information. If the session has not been cancelled, it is a trivial exercise for the next user of the computer to “resume” the last connection.
•Session Timeout – Again, when dealing with the possibility of shared client computers, it is extremely important that there is a limited lifetime (or period of inactivity) after which the session will automatically expire. The expiry time should be kept to a minimum period, and is dependant upon the nature of the application. Ideally the application should be capable of monitoring the period of inactivity for each session ID and be able to delete or revoke the session ID when a threshold has been reached.
•Server Revocation – In some circumstances it may be necessary to cancel an session at the server-side. Likely events include when the user leaves the insecure part of the application and enters the secure part with a new session ID. Alternatively, should some kind of attack be recorded by the server, it would be advisable to revoke the session associated with the attackers system.
Session Verification

The processes for handling and manipulating session ID information must be robust and capable of correctly handing attacks targeting the content within.

•Session ID Length - Ensure that the content of the session ID is of the expected size and type, and that the quality of the information is verified before processing. For instance, be capable of identifying over-sized session ID’s that may constitute a buffer overflow type attack. Additionally, ensure that the content of the session ID does not contain unexpected information – for example, if the session ID will be used within the application’s backend database, care should be taken that the session ID does not contain embedded data strings that may be interpreted as an extension to the 'Select' SQL query.
•Source of the Session ID – When using the HTTP POST method for communication session information, ensure that the application is capable of discerning whether the session ID was delivered to the application from the client browser through the HTTP POST method, and not through a manipulated GET request. Converting HTTP POST into a GET request is a common method of conducting cross-site scripting attacks and other distributed brute force attacks.


Good Session Management
Depending upon the applications purpose, various methods of implementing session handling are available to developers and some may be more applicable than another. For applications requiring the maximum level of session handling security, options are limited, and require a mix of methods described earlier in this document. The following example currently represents one of the most secure methods of handling sessions, but is complex and difficult to implement successfully. The method relies upon three sources of session ID information. This information is held within the URL, the HTTP REFERER field and cookies.

When a client initially connects to the application as a guest, they are assigned a unique personal identifier (ID1), and this information is then embedded within the URL that they are redirected to. Also contained within the URL is a random identifier for the viewed page (ID2). A third personal identifier (ID3) is delivered as a session cookie, with a lifetime of the open client browser (i.e. the session cookie is held in memory – if the browser window and any child windows are closed, the information is lost). If the application server registers no activity from the client browser, the session information of ID3 is revoked.

1. Client connects to the site www.example.com over HTTP. http://www.example.com/

2. The Client is automatically redirected through a server-side redirect to the home page with a URL containing the unique session information - ID1 (user = ID93x7HeT7P4a9) and ID2 (current page = 3789264).

http://www.example.com/page.jsp?user=ID ... 4a9;cpage= 3789264

3. Within the HTTP server response, a session cookie is delivered (user track = UT23dWT3nQi7n4).

Set-Cookie: UserTrack=" UT23dWT3nQi7n4"; path="/"; domain="www.example.com"; expires="2000-01-01 00:00:00GMT"; version=0

Within the page presented to the client, there will be many hyperlinks to other content pages within the application. Each link has been dynamically generated to include the client ID1, and a randomly generated (but catalogued) page identifier. As the unauthenticated user moves throughout the site, the current page identifier will change while ID1 and ID3 remain static. ID3 will change when the user is successfully authenticated.
For pages containing user information submission areas, all HTML forms have hidden fields which include both ID1 and ID2. If the submitted information is likely to contain ANY confidential or personal information, the submission MUST be made securely over HTTPS.

4. Within the page, each hyperlink is uniquely addressed and contains an associated random identifier.

<a href="/page.asp?user=ID93x7HeT7P4a9;npage=8777623">Link 1</a>
<a href="/page.asp?user=ID93x7HeT7P4a9;npage=6319632">Link 2</a>
<a href="/subs/page.asp?user=ID93x7HeT7P4a9;npage=6349671">Link 3</a>

5. Within a page containing a user submission area, the form may look like the following (note that the ACTION specifies both HTTPS and the full URL):
<FORM METHOD=POST ACTION="https://www.example.com/post/page.asp">
<INPUT TYPE="hidden" NAME="user" VALUE=" ID93x7HeT7P4a9">
<INPUT TYPE="hidden" NAME="cpage" VALUE="3789264">
<INPUT TYPE="text" NAME="data" MAXLENGTH="100">
<INPUT TYPE="submit" NAME="Send Data">

6. All pages or data submissions by the client browser will include the session cookie information (ID3).

7. The application must take the each identifier (ID1, ID2 and ID3) and check to see if they are valid for the client request, and that they have not timed out or been revoked. If this information is NOT correct, the client is redirected to the applications first page with all new identifiers (ID1, ID2 and ID3) and all previous ID information is revoked.

8. When the client browser submits a request or follows a hyperlink, a HTTP REFERER value is included. This value represents the URL that was previously presented to the client browser. The application should verify that ID2 within the REFERER URL is the correct precursor to the newly requested page (npage=). If not, the client browser has not followed the correct path to request the new page, and may be indicative of an attack in progress.
For example, the correct sequence to reach page 2 from the initial page is by following "link 1". Therefore, the request for the page http://www.example.com/page.asp?user=ID ... ge=8777623 must contain http://www.example.com/page.jsp?user=ID ... ge=3789264 in the HTTP REFERER field.

9. If the identifiers are valid and correct, a new page is presented. ID2 is updated (e.g. current page = 8777623), while ID1 and ID3 remain the same. http://www.example.com/page.jsp?user=ID ... ge=8777623

10. The returned page contains new random identifiers for all hyperlinks. There should be a link to go "back" to the previous page. However, the previous page will have been assigned a new random identifier. The client browsers "Back" button will no longer work. For example:

Original Page 1 was http://www.example.com/page.jsp?user=ID ... ge=3789264

Page 2 is http://www.example.com/page.jsp?user=ID ... ge=8777623

to return to Page 1, the URL may be –http://www.example.com/page.jsp?user=ID93x7HeT7P4a9;cpage=7322641

When the application requires the user to authenticate, all data submission MUST be over an encrypted session such as HTTPS. If the user is successfully authenticated, a new session cookie (ID3) is issued, and the previous session cookie information is revoked at the server. All communication there after (until the user decides to "logout") must be over HTTPS.

11. If the user successfully authenticates with the application, the previous session cookie (ID3) is revoked and a new ID3 is issued through the now encrypted HTTPS session.

12. The application must be able to associate ID3 with the type of communication (i.e. HTTP or HTTPS), and immediately revoke all session information (ID1, ID2 and ID3) if the new ID3 is used to access non-secure application resources. The use of revoked or inappropriate session information should result in the client browser being redirected to the start page and issued with all new session identifiers as previously discussed.

13. Again, just like the unsecured parts of the application, all pages passed to the client in the authenticated and secure part of the application should have randomly generated page identifiers.

14. The user must have the facility to "logout" and cancel their session. Logging out results in the revocation of all session information and, if possible, the automatic closing of the client browser. In addition, it is a good practice to ensure that both the HTML Meta tags associated with caching and HTTP caching options are set to expire in the past so that no page content should be stored on the client system.

It is important to note that when utilising session information in the URL, it becomes near impossible to conduct any kind of URL embedded cross-site scripting attack. By assigning unique random identifiers to each page and linking between pages with one-time identifiers, it is almost impossible for an attacker to conduct any brute force or repetitive attacks. However, as this session method relies upon the use of session cookies, it will not work with client browsers that have disabled cookies. In some cases, a client browser page request may not contain any data in the HTTP REFERER field.



Conclusions
The stateless nature of HTTP requires organisations to use their own custom method of managing state through the use of session specific information. While there are a number of ways of implementing a session management solution, there are benefits and restrictions to each implementation. It is vital that developers understand both the mechanisms available to them, as well as the limitations. For applications requiring an application user to authenticate to access resources, it is imperative that the session management process is implemented securely.

The likelihood of an attacker specifically targeting the session management process is growing on a daily basis. As the security technologies strengthen the server hosts perimeter defences, and good patching management is implemented, session handling often represents the weakest area of critical services.

While this paper has described the limitations of various session handling methods, developers must be aware that good session management is only one component of building a secure application. Good session management can be bypassed through other poorly coded and implemented application components, and should not be seen as a stand-alone security measure.
The stateless nature of HTTP requires organisations and solution developers to find other methods of uniquely tracking a visitor through a web-base application. Various methods of managing a visitor’s session have been proposed and used, but the most popular method is through the use of unique session IDs. Unfortunately, in too many cases organisations have incorrectly applied session ID management techniques that have left their “secure” application open to abuse and possible hijacking. This document reviews the common assumptions and flaws organisations have made and proposes methods to make their session management more secure and robust.

Understanding the Situation
Most organisations now have substantial investments in their online Internet presences. For major financial institutions and retailers, the Internet provides both a cost effective means of presenting their services and products to customer, and a method of delivering a personalised 24-7 presence. In almost all cases, the preferred method of delivering these services is over common HTTP. Due to the way this protocol works, there is no inbuilt facility to uniquely identify or track a particular customer (or session) within an application – thus the connection between the customer’s web-browser and the organisations web-service is referred to as stateless. Therefore, organisations have been forced to adopt custom methods of managing client sessions if they wish to maintain state.

The most common method of tracking a customer through a web site is by assigning a unique session ID – and having this information transmitted back to the web server with every request. Unfortunately, should an attacker guess or steal this session ID information, it is normally a trivial exercise to hijack and manipulate another user’s active session.

An important aspect of correctly managing state information through session IDs relates directly to authentication processes. While it is possible to insist that a client using an organisations web application provide authentication information for each “restricted” page or data submission, it would soon become tedious and untenable. Thus session IDs are not only used to follow clients throughout the web application, they are also used to uniquely identify an authenticated user – thereby indirectly regulating access to site content or information.

The methods available to organisations for successfully managing sessions and preventing hijacking type attacks are largely dependant upon the answers to a number of critical questions:

1.Where and how often are legitimate clients expected to utilise the web-based application?
2.At what stage does the organisation really need to manage the state of a client’s session?
3.What level of damage could be done to the legitimate client should an attacker be able to impersonate and hijack their account?
4.How much time is someone likely to invest in breaking the session management method?
5.How will the application identify or respond to potential or real hijacking attempts?
6.What is the significance to application usability should it be necessary to use an encrypted version of HTTP (HTTPS)?
7.What would be the cost to the organisations reputation should information about a security flaw in any session management be made public?
Finding answers to these questions will enable the organisation to evaluate the likelihood and financial risk of an inappropriate or poorly implemented session management solution.

Maintaining State
Typically, the process of managing the state of a web-based client is through the use of session IDs. Session IDs are used by the application to uniquely identify a client browser, while background (server-side) processes are used to associate the session ID with a level of access. Thus, once a client has successfully authenticated to the web application, the session ID can be used as a stored authentication voucher so that the client does not have to retype their login information with each page request.

Organisations application developers have three methods available to them to both allocate and receive session ID information:

•Session ID information embedded in the URL, which is received by the application through HTTP GET requests when the client clicks on links embedded with a page.
•Session ID information stored within the fields of a form and submitted to the application. Typically the session ID information would be embedded within the form as a hidden field and submitted with the HTTP POST command.
•Through the use of cookies.
Each method has certain advantages and disadvantages, and one may be more appropriate than another. Selection of one method over another is largely dependant upon the type of service the web application is to deliver and the intended audience. Listed below is a more detailed analysis of the three methods. It is important that an organisations system developers understand the limitations and security implications of each delivery mechanism.

URL Based Session ID's
Session ID information embedded in the URL, which is received by the application through HTTP GET requests when the client clicks on links.
Example: http://www.example.com/news.asp?article ... IE60012219

Advantages:
•Can be used even if the client web-browser has high security settings and has disabled the use of cookies.
•Access to the information resource can be sent by the client to other users by providing them with a copy of the URL.
•If the Session ID is to be permanently associated with the client-browser and their computer, it is possible for the client to “Save as a favourite”.
•Depending upon the web browser type, URL information is commonly sent in the HTTP REFERER field. This information can be used to ensure a site visitor has followed a particular path within the web application, and subsequently used to identify some common forms of attack.

Disadvantages:
•Any person using the same computer will be able to review the browser history file or stored favourites and follow the same URL.
•URL information will be logged by intermediary systems such as firewalls and proxy servers. Thus anyone with access to these logs could observe the URL and possibly use the information in an attack.
•It is a trivial exercise for anyone to modify the URL and associated session ID information within a standard web browser. Thus, the skills and equipment necessary to carry out the attack are minimal – resulting in more frequent attacks.
•When a client navigates to a new web site, the URL containing the session information can be sent to the new site via the HTTP REFERER field.

Hidden Post Fields
Session ID information stored within the fields of a form and submitted to the application. Typically the session ID information would be embedded within the form as a hidden field and submitted with the HTTP POST command.
Example: Embedded within the HTML of a page –

<FORM METHOD=POST ACTION=”/cgi-bin/news.pl”>
<INPUT TYPE=”hidden” NAME=”sessionid” VALUE=”IE60012219”>
<INPUT TYPE=”hidden” NAME=”allowed” VALUE=”true”>
<INPUT TYPE=”submit” NAME=”Read News Article”>

Advantages:
•Not as obvious as URL embedded session information, and consequently requires a slightly higher skill level for an attacker to carry out any manipulation or hijacking.
•Allows a client to safely store or transmit URL information relating to the site without providing access to their session information.
•Can also be used even if the client web-browser has high security settings and has disabled the use of cookies.

Disadvantages:
•While it requires a slightly higher skill level to perform, attacks can be carried out using commonly available tools such as Telnet or via personal proxy services.
•The web application page content tends to be more complex – relying upon embedded form information, client-side scripting such as JavaScript, or embedded within active content such as Macromedia Flash. In addition - pages tend to be larger, requiring more time for the client to download and thus perceiving the site as slower and more unresponsive.
•Due to poor coding practices, a failure to check the submission type (i.e. GET or POST) at the server side may allow the POST content to be reformed into a URL that could be submitted via the HTTP GET method.

Cookies
Each time a client web browser accesses content from a particular domain or URL, if a cookie exists, the client browser is expected to submit any relevant cookie information as part of the HTTP request. Thus cookies can be used to preserve knowledge of the client browser across many pages and over periods of time. Cookies can be constructed to contain expiry information and may last beyond a single interactive session. Such cookies are referred to as “persistent cookies”, and are stored on the client browsers hard-drive in a location defined by the particular browser or operating system (e.g. c:\documents and settings\clientname\cookies for Internet Explorer on Windows XP). By omitting expiration information from a cookie, the client browser is expected to store the cookie only in memory. These “session cookies” should be erased when the browser is closed.
Example: Within the plain text of the HTTP server response –

Set-Cookie: sessionID=”IE60012219”; path=”/”; domain=”www.example.com”; expires=”2003-06-01 00:00:00GMT”; version=0

Advantages:
•Careful use of persistent and session type cookies can be used to regulate access to the web application over time.
•More options are available for controlling session ID timeouts.
•Session information is unlikely to be recorded by intermediary devices.
•Cookie functionality is built in to most browsers. Thus no special coding is required to ensure session ID information is embedded within the pages served to the client browser.

Disadvantages:
•An increasingly common security precaution with web browsers is to disable cookie functionality. Thus web applications dependant upon the cookie function will not work for “security conscious” users.
•As persistent cookies exist as text files on the client system, they can be easily copied used on other systems. Depending on the hosts file access permissions, other users of the host may steal this information and impersonate the user.
•Cookies are limited in size, and are unsuitable for storing complex arrays of state information.
•Cookies will be sent with very page and file requested by the browser within the domain defined by the SET-COOKIE.



The Session ID
An important aspect of managing state within the web application is the “strength” of the session ID itself. As the session ID is often used to track an authenticated user through the application, organisations must be aware that this session ID must fulfil a particular set of criteria if it is not to be compromised through predictive or brute-force type attacks. The two critical characteristics of a good session ID are randomness and length.

Session ID Randomness

It is important that the session ID is unpredictable and the application utilises a strong method of generating random ID’s. It is vital that a cryptographically strong algorithm is used to generate a unique session ID for an authenticated user. Ideally the session ID should be a random value. Do not use linear algorithms based upon predictable variables such as date, time and client IP address.

To this end, the session ID should fulfil the following criteria:

•It must look random – i.e. it should pass statistical tests of randomness.
•It must be unpredictable – i.e. it must be infeasible to predict what the next random value will be, given complete knowledge of the computational algorithm or hardware generating the ID and all previous ID’s.
•It cannot be reliably reproduced – i.e. if the ID generator is used twice with exactly the same input criteria, the result will be an unrelated random ID.
Session ID Length

It is important that the session ID be of a sufficient length to make it infeasible that a brute force method could be used to successfully derive a valid ID within a usable timeframe. Given current processor and bandwidth limitations, session ID’s consisting of over 50 random characters in length are recommended – but make them longer if the opportunity exists.

The actual length of the session ID is dependant upon a number of factors:

•Speed of connection – i.e. there is typically a big difference between Internet client, B2B and internal network connections. While an Internet client will typically have less than a 512 kbps connection speed, an internal user may be capable of connecting to the application server at 200 times faster. Thus an internal user could potentially obtain a valid session ID in 1/200th of the time.
•Complexity of the ID – i.e. what values and characters are used within the session ID? Moving from numeric values (0-9) to a case-sensitive alpha-numeric (a-z, A-Z, 0-9) range means that, for the same address space, the session ID becomes much more difficult to predict. For example, the numeric range of 000000-999999 could be covered by 0000-5BH7 using a case-sensitive alpha-numeric character set.


Session Hijacking
As session ID’s are used to uniquely identify and track a web application user, any attacker who obtains this unique identifier is potentially able to submit the same information and impersonate someone else – this class of attack is commonly referred to as Session Hijacking. Given the inherent stateless nature of the HTTP (and HTTPS) protocol, the process of masquerading as an alternative user using a hijacked session ID is trivial.

An attacker has at his disposal three methods for gaining session ID information – observation, brute force and misdirection of trust.

Observation

By default all HTTP traffic crosses the wire in an unencrypted, plain text, mode. Thus, any device with access to the same wire or shared network devices is capable of “sniffing” the traffic and recording session ID information (not to mention user authentication information such as user names and passwords). In addition, many perimeter devices automatically log aspects of HTTP traffic – in particular the URL information.

A simple security measure to prevent “sniffing” or logging of confidential URL information is to use the encrypted form of HTTP – HTTPS.

Brute Force

If the session ID information is generated or presented in such a way as to be predictable, it is very easy for an attacker to repeatedly attempt to guess a valid ID. Depending upon the randomness and the length of the session ID, this process can take as little time as a few seconds.

In ideal circumstances, an attacker using a domestic DSL line can potentially conduct up to as many as 1000 session ID guesses per second. Thus it is very important to have a sufficiently complex and long session ID to ensure that any likely brute forcing attack will take many hundreds of hours to predict.

A paper by David Endler on the processes involved in brute forcing session ID’s should be sought by readers requiring background information on this process.

Misdirected trust

In ideal circumstances, a client’s web browser would only ever disclose confidential session ID information to a single, trusted site. Unfortunately, there are numerous instances when this is not the case. For example – the HTTP REFERER field will send the full URL, and in some applications this URL may contain session ID information.

Another popular method, utilising common trust relationship flaws, are HTML embedded and Cross-site Scripting (CSS or sometimes XSS) attacks. Through clever embedding of HTML code or scripting elements, it is possible to steal session ID information – even if it is held within the URL, POST fields and cookies. Readers needing more information about this class of attack should review a copy of “HTML Code Injection and Cross-site scripting”.



Common Failings
While web based session management is important for tracking users and their navigation throughout an application, the most critical use is to maintain the state information of an authenticated user as he carries out his allowed functions. For online banking and retail environments, using an appropriately strong session management method is crucial to the success of the organisation.

In the past, I have had the opportunity to investigate session handling techniques for many of my client’s business critical online applications. Based upon these investigations, this section details some of the most common failings and assumptions that have been made.

Predictable Session ID’s

The most common flaw in session ID usage has always been predictability. As discussed earlier, the two causes are a lack of randomness, or length, or both.

•Sequential allocation of Session ID’s – Each visitor to the site is allocated a session ID in sequential order. Thus, by observing your own session ID information, the simple practice of replacing it with another value a few iterations up or down will allow the attacker to impersonate another user.
•Session ID values are too short – The full range of valid session ID’s could be covered during an automated attack before there is time for the session to expire.
•Common hashing techniques – While many commercial web services have built in functions for calculating hashed information, these mechanisms are well known and available for reproduction. A hashing function will indeed create a session ID value that appears to be unique and great care should be taken to ensure that predicable information is not used in the generation of the hash. For example, there have been cases where the “unique” hash was based upon the local system time, and the IP address of the connecting host. Using the same hashing function, the attacker would be able to pre-calculate a large number of time dependant hashes for a popular internet portal or proxy service (i.e. AOL), and use them to brute force any existing session from that service.
•Session Obfuscation – The use of a custom method of obscuring data and using it for session management. It is never a sound idea to include client or other confidential information within a session ID. For example, some organisations have even tried encoding the user’s name and password within the session ID using a shifted Unicode and hexadecimal representation of the information.
Insecure Transmission

For banking and retailing applications it is crucial that all confidential material and session information be transmitted securely and not vulnerable to observation or replay attacks. Unfortunately many commercial packages have failed in the past to secure the integrity of their session management due to insecure transmission.

•Use Encryption when sending session information – As mentioned earlier, there are a lot of instances whereby a users connection to the application server will be logged if not sent over an encrypted channel, such as HTTPS. This is particularly important for applications that require high a degree of confidentiality. If using the cookie method for managing session IDs, organisations should note that the client browser will submit the session ID with every request (this includes pages and graphics) and may even submit it to other servers within the same domain – which may or may not be done over a secure data channel.
•Use different session ID’s when shifting between secure and insecure application components – As a new user navigates the web application as a “guest”, use a different session ID than what would be allocated in the secure part of the application. Never use the same session ID information in the authenticated and unauthenticated sections of the web application. Again, ensure that the session ID to be used in the secure part of the web application is not predictable and based on the previous ID.
Length of Session Validity

For secure applications all session information should be time limited and allow for client-side cancellation or server-side revocation.

•Client Cancellation – Many web applications fail to allow for client-side cancellation such as “log-out”. If the intention is to allow users to interact with the application from anywhere, including Internet Cafes, organisations need to be aware that other users can use the same machine and trawl through the “history” and cached page information. If the session has not been cancelled, it is a trivial exercise for the next user of the computer to “resume” the last connection.
•Session Timeout – Again, when dealing with the possibility of shared client computers, it is extremely important that there is a limited lifetime (or period of inactivity) after which the session will automatically expire. The expiry time should be kept to a minimum period, and is dependant upon the nature of the application. Ideally the application should be capable of monitoring the period of inactivity for each session ID and be able to delete or revoke the session ID when a threshold has been reached.
•Server Revocation – In some circumstances it may be necessary to cancel an session at the server-side. Likely events include when the user leaves the insecure part of the application and enters the secure part with a new session ID. Alternatively, should some kind of attack be recorded by the server, it would be advisable to revoke the session associated with the attackers system.
Session Verification

The processes for handling and manipulating session ID information must be robust and capable of correctly handing attacks targeting the content within.

•Session ID Length - Ensure that the content of the session ID is of the expected size and type, and that the quality of the information is verified before processing. For instance, be capable of identifying over-sized session ID’s that may constitute a buffer overflow type attack. Additionally, ensure that the content of the session ID does not contain unexpected information – for example, if the session ID will be used within the application’s backend database, care should be taken that the session ID does not contain embedded data strings that may be interpreted as an extension to the 'Select' SQL query.
•Source of the Session ID – When using the HTTP POST method for communication session information, ensure that the application is capable of discerning whether the session ID was delivered to the application from the client browser through the HTTP POST method, and not through a manipulated GET request. Converting HTTP POST into a GET request is a common method of conducting cross-site scripting attacks and other distributed brute force attacks.


Good Session Management
Depending upon the applications purpose, various methods of implementing session handling are available to developers and some may be more applicable than another. For applications requiring the maximum level of session handling security, options are limited, and require a mix of methods described earlier in this document. The following example currently represents one of the most secure methods of handling sessions, but is complex and difficult to implement successfully. The method relies upon three sources of session ID information. This information is held within the URL, the HTTP REFERER field and cookies.

When a client initially connects to the application as a guest, they are assigned a unique personal identifier (ID1), and this information is then embedded within the URL that they are redirected to. Also contained within the URL is a random identifier for the viewed page (ID2). A third personal identifier (ID3) is delivered as a session cookie, with a lifetime of the open client browser (i.e. the session cookie is held in memory – if the browser window and any child windows are closed, the information is lost). If the application server registers no activity from the client browser, the session information of ID3 is revoked.

1. Client connects to the site www.example.com over HTTP. http://www.example.com/

2. The Client is automatically redirected through a server-side redirect to the home page with a URL containing the unique session information - ID1 (user = ID93x7HeT7P4a9) and ID2 (current page = 3789264).

http://www.example.com/page.jsp?user=ID ... 4a9;cpage= 3789264

3. Within the HTTP server response, a session cookie is delivered (user track = UT23dWT3nQi7n4).

Set-Cookie: UserTrack=" UT23dWT3nQi7n4"; path="/"; domain="www.example.com"; expires="2000-01-01 00:00:00GMT"; version=0

Within the page presented to the client, there will be many hyperlinks to other content pages within the application. Each link has been dynamically generated to include the client ID1, and a randomly generated (but catalogued) page identifier. As the unauthenticated user moves throughout the site, the current page identifier will change while ID1 and ID3 remain static. ID3 will change when the user is successfully authenticated.
For pages containing user information submission areas, all HTML forms have hidden fields which include both ID1 and ID2. If the submitted information is likely to contain ANY confidential or personal information, the submission MUST be made securely over HTTPS.

4. Within the page, each hyperlink is uniquely addressed and contains an associated random identifier.

<a href="/page.asp?user=ID93x7HeT7P4a9;npage=8777623">Link 1</a>
<a href="/page.asp?user=ID93x7HeT7P4a9;npage=6319632">Link 2</a>
<a href="/subs/page.asp?user=ID93x7HeT7P4a9;npage=6349671">Link 3</a>

5. Within a page containing a user submission area, the form may look like the following (note that the ACTION specifies both HTTPS and the full URL):
<FORM METHOD=POST ACTION="https://www.example.com/post/page.asp">
<INPUT TYPE="hidden" NAME="user" VALUE=" ID93x7HeT7P4a9">
<INPUT TYPE="hidden" NAME="cpage" VALUE="3789264">
<INPUT TYPE="text" NAME="data" MAXLENGTH="100">
<INPUT TYPE="submit" NAME="Send Data">

6. All pages or data submissions by the client browser will include the session cookie information (ID3).

7. The application must take the each identifier (ID1, ID2 and ID3) and check to see if they are valid for the client request, and that they have not timed out or been revoked. If this information is NOT correct, the client is redirected to the applications first page with all new identifiers (ID1, ID2 and ID3) and all previous ID information is revoked.

8. When the client browser submits a request or follows a hyperlink, a HTTP REFERER value is included. This value represents the URL that was previously presented to the client browser. The application should verify that ID2 within the REFERER URL is the correct precursor to the newly requested page (npage=). If not, the client browser has not followed the correct path to request the new page, and may be indicative of an attack in progress.
For example, the correct sequence to reach page 2 from the initial page is by following "link 1". Therefore, the request for the page http://www.example.com/page.asp?user=ID ... ge=8777623 must contain http://www.example.com/page.jsp?user=ID ... ge=3789264 in the HTTP REFERER field.

9. If the identifiers are valid and correct, a new page is presented. ID2 is updated (e.g. current page = 8777623), while ID1 and ID3 remain the same. http://www.example.com/page.jsp?user=ID ... ge=8777623

10. The returned page contains new random identifiers for all hyperlinks. There should be a link to go "back" to the previous page. However, the previous page will have been assigned a new random identifier. The client browsers "Back" button will no longer work. For example:

Original Page 1 was http://www.example.com/page.jsp?user=ID ... ge=3789264

Page 2 is http://www.example.com/page.jsp?user=ID ... ge=8777623

to return to Page 1, the URL may be –http://www.example.com/page.jsp?user=ID93x7HeT7P4a9;cpage=7322641

When the application requires the user to authenticate, all data submission MUST be over an encrypted session such as HTTPS. If the user is successfully authenticated, a new session cookie (ID3) is issued, and the previous session cookie information is revoked at the server. All communication there after (until the user decides to "logout") must be over HTTPS.

11. If the user successfully authenticates with the application, the previous session cookie (ID3) is revoked and a new ID3 is issued through the now encrypted HTTPS session.

12. The application must be able to associate ID3 with the type of communication (i.e. HTTP or HTTPS), and immediately revoke all session information (ID1, ID2 and ID3) if the new ID3 is used to access non-secure application resources. The use of revoked or inappropriate session information should result in the client browser being redirected to the start page and issued with all new session identifiers as previously discussed.

13. Again, just like the unsecured parts of the application, all pages passed to the client in the authenticated and secure part of the application should have randomly generated page identifiers.

14. The user must have the facility to "logout" and cancel their session. Logging out results in the revocation of all session information and, if possible, the automatic closing of the client browser. In addition, it is a good practice to ensure that both the HTML Meta tags associated with caching and HTTP caching options are set to expire in the past so that no page content should be stored on the client system.

It is important to note that when utilising session information in the URL, it becomes near impossible to conduct any kind of URL embedded cross-site scripting attack. By assigning unique random identifiers to each page and linking between pages with one-time identifiers, it is almost impossible for an attacker to conduct any brute force or repetitive attacks. However, as this session method relies upon the use of session cookies, it will not work with client browsers that have disabled cookies. In some cases, a client browser page request may not contain any data in the HTTP REFERER field.



Conclusions
The stateless nature of HTTP requires organisations to use their own custom method of managing state through the use of session specific information. While there are a number of ways of implementing a session management solution, there are benefits and restrictions to each implementation. It is vital that developers understand both the mechanisms available to them, as well as the limitations. For applications requiring an application user to authenticate to access resources, it is imperative that the session management process is implemented securely.

The likelihood of an attacker specifically targeting the session management process is growing on a daily basis. As the security technologies strengthen the server hosts perimeter defences, and good patching management is implemented, session handling often represents the weakest area of critical services.

While this paper has described the limitations of various session handling methods, developers must be aware that good session management is only one component of building a secure application. Good session management can be bypassed through other poorly coded and implemented application components, and should not be seen as a stand-alone security measure.
The stateless nature of HTTP requires organisations and solution developers to find other methods of uniquely tracking a visitor through a web-base application. Various methods of managing a visitor’s session have been proposed and used, but the most popular method is through the use of unique session IDs. Unfortunately, in too many cases organisations have incorrectly applied session ID management techniques that have left their “secure” application open to abuse and possible hijacking. This document reviews the common assumptions and flaws organisations have made and proposes methods to make their session management more secure and robust.

Understanding the Situation
Most organisations now have substantial investments in their online Internet presences. For major financial institutions and retailers, the Internet provides both a cost effective means of presenting their services and products to customer, and a method of delivering a personalised 24-7 presence. In almost all cases, the preferred method of delivering these services is over common HTTP. Due to the way this protocol works, there is no inbuilt facility to uniquely identify or track a particular customer (or session) within an application – thus the connection between the customer’s web-browser and the organisations web-service is referred to as stateless. Therefore, organisations have been forced to adopt custom methods of managing client sessions if they wish to maintain state.

The most common method of tracking a customer through a web site is by assigning a unique session ID – and having this information transmitted back to the web server with every request. Unfortunately, should an attacker guess or steal this session ID information, it is normally a trivial exercise to hijack and manipulate another user’s active session.

An important aspect of correctly managing state information through session IDs relates directly to authentication processes. While it is possible to insist that a client using an organisations web application provide authentication information for each “restricted” page or data submission, it would soon become tedious and untenable. Thus session IDs are not only used to follow clients throughout the web application, they are also used to uniquely identify an authenticated user – thereby indirectly regulating access to site content or information.

The methods available to organisations for successfully managing sessions and preventing hijacking type attacks are largely dependant upon the answers to a number of critical questions:

1.Where and how often are legitimate clients expected to utilise the web-based application?
2.At what stage does the organisation really need to manage the state of a client’s session?
3.What level of damage could be done to the legitimate client should an attacker be able to impersonate and hijack their account?
4.How much time is someone likely to invest in breaking the session management method?
5.How will the application identify or respond to potential or real hijacking attempts?
6.What is the significance to application usability should it be necessary to use an encrypted version of HTTP (HTTPS)?
7.What would be the cost to the organisations reputation should information about a security flaw in any session management be made public?
Finding answers to these questions will enable the organisation to evaluate the likelihood and financial risk of an inappropriate or poorly implemented session management solution.

Maintaining State
Typically, the process of managing the state of a web-based client is through the use of session IDs. Session IDs are used by the application to uniquely identify a client browser, while background (server-side) processes are used to associate the session ID with a level of access. Thus, once a client has successfully authenticated to the web application, the session ID can be used as a stored authentication voucher so that the client does not have to retype their login information with each page request.

Organisations application developers have three methods available to them to both allocate and receive session ID information:

•Session ID information embedded in the URL, which is received by the application through HTTP GET requests when the client clicks on links embedded with a page.
•Session ID information stored within the fields of a form and submitted to the application. Typically the session ID information would be embedded within the form as a hidden field and submitted with the HTTP POST command.
•Through the use of cookies.
Each method has certain advantages and disadvantages, and one may be more appropriate than another. Selection of one method over another is largely dependant upon the type of service the web application is to deliver and the intended audience. Listed below is a more detailed analysis of the three methods. It is important that an organisations system developers understand the limitations and security implications of each delivery mechanism.

URL Based Session ID's
Session ID information embedded in the URL, which is received by the application through HTTP GET requests when the client clicks on links.
Example: http://www.example.com/news.asp?article ... IE60012219

Advantages:
•Can be used even if the client web-browser has high security settings and has disabled the use of cookies.
•Access to the information resource can be sent by the client to other users by providing them with a copy of the URL.
•If the Session ID is to be permanently associated with the client-browser and their computer, it is possible for the client to “Save as a favourite”.
•Depending upon the web browser type, URL information is commonly sent in the HTTP REFERER field. This information can be used to ensure a site visitor has followed a particular path within the web application, and subsequently used to identify some common forms of attack.

Disadvantages:
•Any person using the same computer will be able to review the browser history file or stored favourites and follow the same URL.
•URL information will be logged by intermediary systems such as firewalls and proxy servers. Thus anyone with access to these logs could observe the URL and possibly use the information in an attack.
•It is a trivial exercise for anyone to modify the URL and associated session ID information within a standard web browser. Thus, the skills and equipment necessary to carry out the attack are minimal – resulting in more frequent attacks.
•When a client navigates to a new web site, the URL containing the session information can be sent to the new site via the HTTP REFERER field.

Hidden Post Fields
Session ID information stored within the fields of a form and submitted to the application. Typically the session ID information would be embedded within the form as a hidden field and submitted with the HTTP POST command.
Example: Embedded within the HTML of a page –

<FORM METHOD=POST ACTION=”/cgi-bin/news.pl”>
<INPUT TYPE=”hidden” NAME=”sessionid” VALUE=”IE60012219”>
<INPUT TYPE=”hidden” NAME=”allowed” VALUE=”true”>
<INPUT TYPE=”submit” NAME=”Read News Article”>

Advantages:
•Not as obvious as URL embedded session information, and consequently requires a slightly higher skill level for an attacker to carry out any manipulation or hijacking.
•Allows a client to safely store or transmit URL information relating to the site without providing access to their session information.
•Can also be used even if the client web-browser has high security settings and has disabled the use of cookies.

Disadvantages:
•While it requires a slightly higher skill level to perform, attacks can be carried out using commonly available tools such as Telnet or via personal proxy services.
•The web application page content tends to be more complex – relying upon embedded form information, client-side scripting such as JavaScript, or embedded within active content such as Macromedia Flash. In addition - pages tend to be larger, requiring more time for the client to download and thus perceiving the site as slower and more unresponsive.
•Due to poor coding practices, a failure to check the submission type (i.e. GET or POST) at the server side may allow the POST content to be reformed into a URL that could be submitted via the HTTP GET method.

Cookies
Each time a client web browser accesses content from a particular domain or URL, if a cookie exists, the client browser is expected to submit any relevant cookie information as part of the HTTP request. Thus cookies can be used to preserve knowledge of the client browser across many pages and over periods of time. Cookies can be constructed to contain expiry information and may last beyond a single interactive session. Such cookies are referred to as “persistent cookies”, and are stored on the client browsers hard-drive in a location defined by the particular browser or operating system (e.g. c:\documents and settings\clientname\cookies for Internet Explorer on Windows XP). By omitting expiration information from a cookie, the client browser is expected to store the cookie only in memory. These “session cookies” should be erased when the browser is closed.
Example: Within the plain text of the HTTP server response –

Set-Cookie: sessionID=”IE60012219”; path=”/”; domain=”www.example.com”; expires=”2003-06-01 00:00:00GMT”; version=0

Advantages:
•Careful use of persistent and session type cookies can be used to regulate access to the web application over time.
•More options are available for controlling session ID timeouts.
•Session information is unlikely to be recorded by intermediary devices.
•Cookie functionality is built in to most browsers. Thus no special coding is required to ensure session ID information is embedded within the pages served to the client browser.

Disadvantages:
•An increasingly common security precaution with web browsers is to disable cookie functionality. Thus web applications dependant upon the cookie function will not work for “security conscious” users.
•As persistent cookies exist as text files on the client system, they can be easily copied used on other systems. Depending on the hosts file access permissions, other users of the host may steal this information and impersonate the user.
•Cookies are limited in size, and are unsuitable for storing complex arrays of state information.
•Cookies will be sent with very page and file requested by the browser within the domain defined by the SET-COOKIE.



The Session ID
An important aspect of managing state within the web application is the “strength” of the session ID itself. As the session ID is often used to track an authenticated user through the application, organisations must be aware that this session ID must fulfil a particular set of criteria if it is not to be compromised through predictive or brute-force type attacks. The two critical characteristics of a good session ID are randomness and length.

Session ID Randomness

It is important that the session ID is unpredictable and the application utilises a strong method of generating random ID’s. It is vital that a cryptographically strong algorithm is used to generate a unique session ID for an authenticated user. Ideally the session ID should be a random value. Do not use linear algorithms based upon predictable variables such as date, time and client IP address.

To this end, the session ID should fulfil the following criteria:

•It must look random – i.e. it should pass statistical tests of randomness.
•It must be unpredictable – i.e. it must be infeasible to predict what the next random value will be, given complete knowledge of the computational algorithm or hardware generating the ID and all previous ID’s.
•It cannot be reliably reproduced – i.e. if the ID generator is used twice with exactly the same input criteria, the result will be an unrelated random ID.
Session ID Length

It is important that the session ID be of a sufficient length to make it infeasible that a brute force method could be used to successfully derive a valid ID within a usable timeframe. Given current processor and bandwidth limitations, session ID’s consisting of over 50 random characters in length are recommended – but make them longer if the opportunity exists.

The actual length of the session ID is dependant upon a number of factors:

•Speed of connection – i.e. there is typically a big difference between Internet client, B2B and internal network connections. While an Internet client will typically have less than a 512 kbps connection speed, an internal user may be capable of connecting to the application server at 200 times faster. Thus an internal user could potentially obtain a valid session ID in 1/200th of the time.
•Complexity of the ID – i.e. what values and characters are used within the session ID? Moving from numeric values (0-9) to a case-sensitive alpha-numeric (a-z, A-Z, 0-9) range means that, for the same address space, the session ID becomes much more difficult to predict. For example, the numeric range of 000000-999999 could be covered by 0000-5BH7 using a case-sensitive alpha-numeric character set.


Session Hijacking
As session ID’s are used to uniquely identify and track a web application user, any attacker who obtains this unique identifier is potentially able to submit the same information and impersonate someone else – this class of attack is commonly referred to as Session Hijacking. Given the inherent stateless nature of the HTTP (and HTTPS) protocol, the process of masquerading as an alternative user using a hijacked session ID is trivial.

An attacker has at his disposal three methods for gaining session ID information – observation, brute force and misdirection of trust.

Observation

By default all HTTP traffic crosses the wire in an unencrypted, plain text, mode. Thus, any device with access to the same wire or shared network devices is capable of “sniffing” the traffic and recording session ID information (not to mention user authentication information such as user names and passwords). In addition, many perimeter devices automatically log aspects of HTTP traffic – in particular the URL information.

A simple security measure to prevent “sniffing” or logging of confidential URL information is to use the encrypted form of HTTP – HTTPS.

Brute Force

If the session ID information is generated or presented in such a way as to be predictable, it is very easy for an attacker to repeatedly attempt to guess a valid ID. Depending upon the randomness and the length of the session ID, this process can take as little time as a few seconds.

In ideal circumstances, an attacker using a domestic DSL line can potentially conduct up to as many as 1000 session ID guesses per second. Thus it is very important to have a sufficiently complex and long session ID to ensure that any likely brute forcing attack will take many hundreds of hours to predict.

A paper by David Endler on the processes involved in brute forcing session ID’s should be sought by readers requiring background information on this process.

Misdirected trust

In ideal circumstances, a client’s web browser would only ever disclose confidential session ID information to a single, trusted site. Unfortunately, there are numerous instances when this is not the case. For example – the HTTP REFERER field will send the full URL, and in some applications this URL may contain session ID information.

Another popular method, utilising common trust relationship flaws, are HTML embedded and Cross-site Scripting (CSS or sometimes XSS) attacks. Through clever embedding of HTML code or scripting elements, it is possible to steal session ID information – even if it is held within the URL, POST fields and cookies. Readers needing more information about this class of attack should review a copy of “HTML Code Injection and Cross-site scripting”.



Common Failings
While web based session management is important for tracking users and their navigation throughout an application, the most critical use is to maintain the state information of an authenticated user as he carries out his allowed functions. For online banking and retail environments, using an appropriately strong session management method is crucial to the success of the organisation.

In the past, I have had the opportunity to investigate session handling techniques for many of my client’s business critical online applications. Based upon these investigations, this section details some of the most common failings and assumptions that have been made.

Predictable Session ID’s

The most common flaw in session ID usage has always been predictability. As discussed earlier, the two causes are a lack of randomness, or length, or both.

•Sequential allocation of Session ID’s – Each visitor to the site is allocated a session ID in sequential order. Thus, by observing your own session ID information, the simple practice of replacing it with another value a few iterations up or down will allow the attacker to impersonate another user.
•Session ID values are too short – The full range of valid session ID’s could be covered during an automated attack before there is time for the session to expire.
•Common hashing techniques – While many commercial web services have built in functions for calculating hashed information, these mechanisms are well known and available for reproduction. A hashing function will indeed create a session ID value that appears to be unique and great care should be taken to ensure that predicable information is not used in the generation of the hash. For example, there have been cases where the “unique” hash was based upon the local system time, and the IP address of the connecting host. Using the same hashing function, the attacker would be able to pre-calculate a large number of time dependant hashes for a popular internet portal or proxy service (i.e. AOL), and use them to brute force any existing session from that service.
•Session Obfuscation – The use of a custom method of obscuring data and using it for session management. It is never a sound idea to include client or other confidential information within a session ID. For example, some organisations have even tried encoding the user’s name and password within the session ID using a shifted Unicode and hexadecimal representation of the information.
Insecure Transmission

For banking and retailing applications it is crucial that all confidential material and session information be transmitted securely and not vulnerable to observation or replay attacks. Unfortunately many commercial packages have failed in the past to secure the integrity of their session management due to insecure transmission.

•Use Encryption when sending session information – As mentioned earlier, there are a lot of instances whereby a users connection to the application server will be logged if not sent over an encrypted channel, such as HTTPS. This is particularly important for applications that require high a degree of confidentiality. If using the cookie method for managing session IDs, organisations should note that the client browser will submit the session ID with every request (this includes pages and graphics) and may even submit it to other servers within the same domain – which may or may not be done over a secure data channel.
•Use different session ID’s when shifting between secure and insecure application components – As a new user navigates the web application as a “guest”, use a different session ID than what would be allocated in the secure part of the application. Never use the same session ID information in the authenticated and unauthenticated sections of the web application. Again, ensure that the session ID to be used in the secure part of the web application is not predictable and based on the previous ID.
Length of Session Validity

For secure applications all session information should be time limited and allow for client-side cancellation or server-side revocation.

•Client Cancellation – Many web applications fail to allow for client-side cancellation such as “log-out”. If the intention is to allow users to interact with the application from anywhere, including Internet Cafes, organisations need to be aware that other users can use the same machine and trawl through the “history” and cached page information. If the session has not been cancelled, it is a trivial exercise for the next user of the computer to “resume” the last connection.
•Session Timeout – Again, when dealing with the possibility of shared client computers, it is extremely important that there is a limited lifetime (or period of inactivity) after which the session will automatically expire. The expiry time should be kept to a minimum period, and is dependant upon the nature of the application. Ideally the application should be capable of monitoring the period of inactivity for each session ID and be able to delete or revoke the session ID when a threshold has been reached.
•Server Revocation – In some circumstances it may be necessary to cancel an session at the server-side. Likely events include when the user leaves the insecure part of the application and enters the secure part with a new session ID. Alternatively, should some kind of attack be recorded by the server, it would be advisable to revoke the session associated with the attackers system.
Session Verification

The processes for handling and manipulating session ID information must be robust and capable of correctly handing attacks targeting the content within.

•Session ID Length - Ensure that the content of the session ID is of the expected size and type, and that the quality of the information is verified before processing. For instance, be capable of identifying over-sized session ID’s that may constitute a buffer overflow type attack. Additionally, ensure that the content of the session ID does not contain unexpected information – for example, if the session ID will be used within the application’s backend database, care should be taken that the session ID does not contain embedded data strings that may be interpreted as an extension to the 'Select' SQL query.
•Source of the Session ID – When using the HTTP POST method for communication session information, ensure that the application is capable of discerning whether the session ID was delivered to the application from the client browser through the HTTP POST method, and not through a manipulated GET request. Converting HTTP POST into a GET request is a common method of conducting cross-site scripting attacks and other distributed brute force attacks.


Good Session Management
Depending upon the applications purpose, various methods of implementing session handling are available to developers and some may be more applicable than another. For applications requiring the maximum level of session handling security, options are limited, and require a mix of methods described earlier in this document. The following example currently represents one of the most secure methods of handling sessions, but is complex and difficult to implement successfully. The method relies upon three sources of session ID information. This information is held within the URL, the HTTP REFERER field and cookies.

When a client initially connects to the application as a guest, they are assigned a unique personal identifier (ID1), and this information is then embedded within the URL that they are redirected to. Also contained within the URL is a random identifier for the viewed page (ID2). A third personal identifier (ID3) is delivered as a session cookie, with a lifetime of the open client browser (i.e. the session cookie is held in memory – if the browser window and any child windows are closed, the information is lost). If the application server registers no activity from the client browser, the session information of ID3 is revoked.

1. Client connects to the site www.example.com over HTTP. http://www.example.com/

2. The Client is automatically redirected through a server-side redirect to the home page with a URL containing the unique session information - ID1 (user = ID93x7HeT7P4a9) and ID2 (current page = 3789264).

http://www.example.com/page.jsp?user=ID ... 4a9;cpage= 3789264

3. Within the HTTP server response, a session cookie is delivered (user track = UT23dWT3nQi7n4).

Set-Cookie: UserTrack=" UT23dWT3nQi7n4"; path="/"; domain="www.example.com"; expires="2000-01-01 00:00:00GMT"; version=0

Within the page presented to the client, there will be many hyperlinks to other content pages within the application. Each link has been dynamically generated to include the client ID1, and a randomly generated (but catalogued) page identifier. As the unauthenticated user moves throughout the site, the current page identifier will change while ID1 and ID3 remain static. ID3 will change when the user is successfully authenticated.
For pages containing user information submission areas, all HTML forms have hidden fields which include both ID1 and ID2. If the submitted information is likely to contain ANY confidential or personal information, the submission MUST be made securely over HTTPS.

4. Within the page, each hyperlink is uniquely addressed and contains an associated random identifier.

<a href="/page.asp?user=ID93x7HeT7P4a9;npage=8777623">Link 1</a>
<a href="/page.asp?user=ID93x7HeT7P4a9;npage=6319632">Link 2</a>
<a href="/subs/page.asp?user=ID93x7HeT7P4a9;npage=6349671">Link 3</a>

5. Within a page containing a user submission area, the form may look like the following (note that the ACTION specifies both HTTPS and the full URL):
<FORM METHOD=POST ACTION="https://www.example.com/post/page.asp">
<INPUT TYPE="hidden" NAME="user" VALUE=" ID93x7HeT7P4a9">
<INPUT TYPE="hidden" NAME="cpage" VALUE="3789264">
<INPUT TYPE="text" NAME="data" MAXLENGTH="100">
<INPUT TYPE="submit" NAME="Send Data">

6. All pages or data submissions by the client browser will include the session cookie information (ID3).

7. The application must take the each identifier (ID1, ID2 and ID3) and check to see if they are valid for the client request, and that they have not timed out or been revoked. If this information is NOT correct, the client is redirected to the applications first page with all new identifiers (ID1, ID2 and ID3) and all previous ID information is revoked.

8. When the client browser submits a request or follows a hyperlink, a HTTP REFERER value is included. This value represents the URL that was previously presented to the client browser. The application should verify that ID2 within the REFERER URL is the correct precursor to the newly requested page (npage=). If not, the client browser has not followed the correct path to request the new page, and may be indicative of an attack in progress.
For example, the correct sequence to reach page 2 from the initial page is by following "link 1". Therefore, the request for the page http://www.example.com/page.asp?user=ID ... ge=8777623 must contain http://www.example.com/page.jsp?user=ID ... ge=3789264 in the HTTP REFERER field.

9. If the identifiers are valid and correct, a new page is presented. ID2 is updated (e.g. current page = 8777623), while ID1 and ID3 remain the same. http://www.example.com/page.jsp?user=ID ... ge=8777623

10. The returned page contains new random identifiers for all hyperlinks. There should be a link to go "back" to the previous page. However, the previous page will have been assigned a new random identifier. The client browsers "Back" button will no longer work. For example:

Original Page 1 was http://www.example.com/page.jsp?user=ID ... ge=3789264

Page 2 is http://www.example.com/page.jsp?user=ID ... ge=8777623

to return to Page 1, the URL may be –http://www.example.com/page.jsp?user=ID93x7HeT7P4a9;cpage=7322641

When the application requires the user to authenticate, all data submission MUST be over an encrypted session such as HTTPS. If the user is successfully authenticated, a new session cookie (ID3) is issued, and the previous session cookie information is revoked at the server. All communication there after (until the user decides to "logout") must be over HTTPS.

11. If the user successfully authenticates with the application, the previous session cookie (ID3) is revoked and a new ID3 is issued through the now encrypted HTTPS session.

12. The application must be able to associate ID3 with the type of communication (i.e. HTTP or HTTPS), and immediately revoke all session information (ID1, ID2 and ID3) if the new ID3 is used to access non-secure application resources. The use of revoked or inappropriate session information should result in the client browser being redirected to the start page and issued with all new session identifiers as previously discussed.

13. Again, just like the unsecured parts of the application, all pages passed to the client in the authenticated and secure part of the application should have randomly generated page identifiers.

14. The user must have the facility to "logout" and cancel their session. Logging out results in the revocation of all session information and, if possible, the automatic closing of the client browser. In addition, it is a good practice to ensure that both the HTML Meta tags associated with caching and HTTP caching options are set to expire in the past so that no page content should be stored on the client system.

It is important to note that when utilising session information in the URL, it becomes near impossible to conduct any kind of URL embedded cross-site scripting attack. By assigning unique random identifiers to each page and linking between pages with one-time identifiers, it is almost impossible for an attacker to conduct any brute force or repetitive attacks. However, as this session method relies upon the use of session cookies, it will not work with client browsers that have disabled cookies. In some cases, a client browser page request may not contain any data in the HTTP REFERER field.



Conclusions
The stateless nature of HTTP requires organisations to use their own custom method of managing state through the use of session specific information. While there are a number of ways of implementing a session management solution, there are benefits and restrictions to each implementation. It is vital that developers understand both the mechanisms available to them, as well as the limitations. For applications requiring an application user to authenticate to access resources, it is imperative that the session management process is implemented securely.

The likelihood of an attacker specifically targeting the session management process is growing on a daily basis. As the security technologies strengthen the server hosts perimeter defences, and good patching management is implemented, session handling often represents the weakest area of critical services.

While this paper has described the limitations of various session handling methods, developers must be aware that good session management is only one component of building a secure application. Good session management can be bypassed through other poorly coded and implemented application components, and should not be seen as a stand-alone security measure.
User avatar
nate0023
 
Posts: 50
Joined: Sat Nov 22, 2008 12:59 pm

Re: Featured Level of The Week

Postby FCBerticus on Wed Feb 16, 2011 9:27 am

fc forums needs are character limit o-o
User avatar
FCBerticus
 
Posts: 117
Joined: Sat Oct 30, 2010 12:17 pm
Location: England

Re: Featured Level of The Week

Postby Skips on Tue Feb 22, 2011 3:22 pm

FCBerticus wrote:fc forums needs are character limit o-o


Yeah it was removed for Simplest Badge Records.
User avatar
Skips
 
Posts: 1270
Joined: Fri Aug 15, 2008 11:11 am
Location: Blighty

Re: Featured Level of The Week

Postby rianbay812 on Tue Feb 22, 2011 3:28 pm

Skips wrote:
FCBerticus wrote:fc forums needs are character limit o-o


Yeah it was removed for Simplest Badge Records.

can a mod please get rid of that?
User avatar
rianbay812
 
Posts: 1821
Joined: Sun Feb 22, 2009 5:55 pm
Location: Georgia Institute of Technology: Atlanta, Georgia

Next

Return to Levels and Game Chat



Who is online

Users browsing this forum: No registered users