[Seaside] Session (in)security?

Ramon Leon ramon.leon at allresnet.com
Thu Jun 15 20:05:39 UTC 2006

> Fair enough of a question. Here's one stab at the least 
> argument-provoking answer :)
> If somebody stands over my shoulder, the password fields are 
> (typically) masked (*****) whereas the address bar of the 
> browser isn't. 
> -Boris
> -- 
> +1.604.689.0322
> DeepCove Labs Ltd.
> 4th floor 595 Howe Street
> Vancouver, Canada V6C 2T5
> boris at deepcovelabs.com

There's nothing wrong with the session key being in the url, it's fairly
common but often hidden with mod rewrite making the key look like part of
the url itself.  .Net allows this as well, called cookieless sessions, which
was a response to people complaining about cookies being required.  Seaside
offers both cookie and cookieless sessions, and seaside, being aimed at
"complex application" development rather than general web site development,
is more concerned with making application development easier, rather than
general website development, so the defaults may need changing here and
there when doing websites.

More information about the Seaside mailing list