[Seaside] Efficient & trustable authorisation checks?

Avi Bryant avi@beta4.com
Sat, 25 May 2002 12:10:13 -0700 (PDT)

On Sat, 25 May 2002, Tim Rowledge wrote:

> First thing that springs to mind is simply to flag the completed
> authorisation; that requires trusting it to be correct, maybe a worry?
> It seems like the current scheme of leaving the session id in the url
> risks people simply passing the entire url to a buddy. Has anyone done
> any work with using cookies for this - is it any more secure?

Cookies are better protection from over-the-shoulder attacks - it's hard
to steal someone's session id from across the room.  There is, or was, a
flag you could turn on in IAApplication that uses cookies instead of the
url to store the session, but to be honest I'm not sure it survived the
latest updates.  If you decide to go that way I'll resurrect it.

However, even with cookies someone could (intentionally) give their
session to someone else, or could try to brute force guess a valid session
key.  I don't think either of these are very likely, but the most secure
way is still going to be to use HTTP auth and check the ID every time.