[Seaside] Session (in)security?

Colin Putney cputney at wiresong.ca
Thu Jun 15 18:01:29 UTC 2006

On Jun 15, 2006, at 1:27 PM, Boris Popov wrote:

> Umm, here's something I wish wasn't happening in the default  
> install of
> Seaside. If I go to someplace within the application and email the  
> URL that
> shows in the browser, say
> https://www.myhost.com/seaside/go/application? 
> _s=lpcPfHSbadvbyIAv&_k=KtOMdks
> c
> to somebody, that person can currently click on that link and  
> acquire my
> session and keep on going. I hope I don't need to explain why this  
> is plain
> wrong, but how can I address that?

I think you do need explain why it's wrong. It's a bit like saying,  
"Hey, if I send my password to somebody in an email, they could log  
into my machine and delete my files!"

More information about the Seaside mailing list