[Seaside] Session (in)security?
Colin Putney
cputney at wiresong.ca
Thu Jun 15 18:01:29 UTC 2006
On Jun 15, 2006, at 1:27 PM, Boris Popov wrote:
> Umm, here's something I wish wasn't happening in the default
> install of
> Seaside. If I go to someplace within the application and email the
> URL that
> shows in the browser, say
>
> https://www.myhost.com/seaside/go/application?
> _s=lpcPfHSbadvbyIAv&_k=KtOMdks
> c
>
> to somebody, that person can currently click on that link and
> acquire my
> session and keep on going. I hope I don't need to explain why this
> is plain
> wrong, but how can I address that?
I think you do need explain why it's wrong. It's a bit like saying,
"Hey, if I send my password to somebody in an email, they could log
into my machine and delete my files!"
More information about the Seaside
mailing list