[Seaside] Session (in)security?
Boris Popov
boris at deepcovelabs.com
Thu Jun 15 18:07:43 UTC 2006
Fair enough of a question. Here's one stab at the least argument-provoking
answer :)
If somebody stands over my shoulder, the password fields are (typically)
masked (*****) whereas the address bar of the browser isn't.
-Boris
--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
boris at deepcovelabs.com
CONFIDENTIALITY NOTICE
This email is intended only for the persons named in the message
header. Unless otherwise indicated, it contains information that is
private and confidential. If you have received it in error, please
notify the sender and delete the entire message including any
attachments.
Thank you.
-----Original Message-----
From: seaside-bounces at lists.squeakfoundation.org
[mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf Of Colin
Putney
Sent: Thursday, June 15, 2006 11:01 AM
To: The Squeak Enterprise Aubergines Server - general discussion.
Subject: Re: [Seaside] Session (in)security?
On Jun 15, 2006, at 1:27 PM, Boris Popov wrote:
> Umm, here's something I wish wasn't happening in the default
> install of
> Seaside. If I go to someplace within the application and email the
> URL that
> shows in the browser, say
>
> https://www.myhost.com/seaside/go/application?
> _s=lpcPfHSbadvbyIAv&_k=KtOMdks
> c
>
> to somebody, that person can currently click on that link and
> acquire my
> session and keep on going. I hope I don't need to explain why this
> is plain
> wrong, but how can I address that?
I think you do need explain why it's wrong. It's a bit like saying,
"Hey, if I send my password to somebody in an email, they could log
into my machine and delete my files!"
_______________________________________________
Seaside mailing list
Seaside at lists.squeakfoundation.org
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3370 bytes
Desc: not available
Url : http://lists.squeakfoundation.org/pipermail/seaside/attachments/20060615/403762ad/smime.bin
More information about the Seaside
mailing list