We have this terrible problem at work right now where the web based program we work on is having problems with users not being able to utilize multiple sessions, killing existing sessions mistakenly and losing session data that stops them from using the program properly. So this is a big problem that my programming lead has decided to ignore for a while now.
I found this issue to be a huge problem and something we couldn't just ignore so I took it upon my self to figure out what to do. The first thing I did was put the userID and SessionID on the top of the page in efforts to see when the UserID would change to zero and when the SessionID would change. I warned my lead that this is what I was going to do and instead of discussing it with me he just said, "I don't want to talk about it anymore, just do it.".
So I did.
Then he comes to me after I did it, screen-shotted it and sent it to one of the clients for approval and tells me, "You are going to hate me for this, but that isn't going to production." So I got really fucking angry and started yelling at him, I had already taken a Claritin and drank some coffee which makes the Claritin react even better, the only side effect is it makes me very aggressive.
So I yelled at him, "Unless you have a good reason as to why, it will stay there, I am not removing it unless you give me a good reason. We need a solution and so far you haven't given me one. I have one so we are going to use mine."
He replies, "Because it is a security risk"
Me, "No it isn't, there isn't much you can do with the SessionID and the UserID isn't used anywhere on the site as input."
Him, "they can do SQL injection and hijack the session"
Me, "you are wrong, that is not possible, I already told you that the userID is just a primary key we use internally, they can't use it for shit. So give me a good reason as to why i should remove this."
Him, "Don't tell me I am wrong, I have 10 years of experience"
That is when he dropped his creds and I went from mad, to really fucking pissed off.
So I replied with, "So you are going on a hunch"
That pissed him off, so he drops his creds again and says, "it is a security risk and any security expert would agree with me, including an admin at one of the companies."
Me, "I remember you telling me you have more experience with windows forms and not asp.net web development."
So he cred dropped again...
At this point he was grabbing for straws and throwing anything at me so he could appear to be correct. This made me more upset so I retorted yet again: "you are wrong and the security experts would say this is just fine because they are meaningless numbers and the admin you are talking about is a NETWORK admin what the hell would he know."
He then said the most ridiculous thing I have ever heard, "If a hacker gains access to our database we are just making it easier for them to screw things up."
I scream at him, "IF THEY HACKED OUR DATABASE WE ARE FUCKED ALREADY! SO THAT DOESN'T MAKE ANY FUCKING SENSE."
He really was just grabbing for straws all over the fucking place, it was very irritating.
So then I start explaining the reason for putting the IDs up there and he develops a smirk in the side of his face that said to me or I read as "you are full of shit", so I yelled at him again "WHEN SOMEONE IS EXPLAINING SOMETHING TO YOU AND YOU START TO SMILE LIKE THAT, IT MAKES THEM WANT TO PUNCH YOU IN THE FACE!"
So he cowers away, "No one is punching anybody..."
--
The convo aside, he is wrong for the following reasons:
UserID - this is a primary key in our users table (what a fucking surprise huh) and you cannot use it for shit, not one has access to it anywhere in the program, so it is just a number as far as anyone is concerned. We use other Primary keys all over the application that the users use.
SessionID - you can hack or hijack ANYONE'S session using poisoned cookies or if the session is cookieless just getting the URL that the user is using because the SessionID shows up in the URL. So my point was if the SessionID would show up in the url, what the fuck difference would it make if I put it on the page for debugging.
I never said I would put that information on the page permanently, only until we figured out our problem. I even asked my two co-workers for validation and they agreed with me.
I hate it when people make stupid ass baseless arguments.
Fucking idiot! Take your 10 years of experience and shove it. I have 9 years of experience and what?
No comments:
Post a Comment