[Seaside] New Gardner version

Benjamin Pollack benjamin.pollack at duke.edu
Mon Aug 4 20:26:17 CEST 2003 

On Monday, August 4, 2003, at 06:04  PM, Cees de Groot wrote:

> Dogfood mode: http://www.tric.nl/ is the first site I created by using
> Gardner as a whitebox framework.

Attempting to access that website in Safari fails. It constantly 
toggles between http://www.tric.nl/tric/[session information] and 
http://www.tric.nl/tric/tric , never loading any actual data. I took a 
look with telnet to figure out what's happening:

1. First, the Apache server that is virtually hosting www.tric.nl 
issues an HTTP/302 redirect to http://www.tric.nl/tric/
2. Seaside then issues another HTTP/302 redirect to 
http://www.tric.nl/tric/[session1]
3. Seaside then issues ANOTHER HTTP/302 redirect, this time to 
http://www.tric.nl/tric/tric, the new way/[session2] , but because that 
URL lacks the proper escape characters, Safari mistakenly redirects 
back to /tric/[session3], which causes an infinite loop, spawning a 
huge number of Seaside sessions very quickly.

(This problem does not surface with Mozilla, but that is because 
Mozilla is forgiving, not because Safari is implementing incorrect 
behavior.)

You need to remove the spaces in that URL or properly escape them, or 
else someone is going to accidentally DoS you by spawning a massive 
number of Seaside sessions in a very short time trying to view your 
website. Each URL request that results from a 302 redirect is 
generating a new session. Over a T1, Seaside seems to be able to crank 
these sessions out really fast, and it took me a moment to figure out 
why Safari was appearing to reload the same page about ten times per 
second before I could process what the problem was and stop it. On the 
same note, though, why is Seaside creating new sessions for every 
WARedirectResponse in the first place? Is that a flaw with Seaside, or 
with the framework, or is there a good reason for spawning new sessions 
on redirects? The session will of course time out after ten minutes, 
but I don't understand why you need to generate a new session that way. 
It has the potential to waste a lot of memory on a heavily used site.

--Benjamin

More information about the Seaside mailing list