[Seaside] Session (in)security?

Boris Popov boris at deepcovelabs.com
Thu Jun 15 20:37:21 UTC 2006 

Oh I didn't say there was anything wrong with that, it just seemed weird
that one could copy the url from one machine to the other and pick up an
exact same session. By the way, password was just an example, not related to
the session key issue. Obviously our app is password protected as well, but
with url copying, all you need is a url of a logged-in user and you're good
to go whereas with a cookie you have to try much harder. I settled on
basically using both cookie setting and WASessionProtector, but was just
wondering if cookie setting shouldn't be on by default for ignorant seaside
beginners like myself, that's all :)

Cheers!

-Boris

-- 
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5

boris at deepcovelabs.com

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message
header. Unless otherwise indicated, it contains information that is
private and confidential. If you have received it in error, please
notify the sender and delete the entire message including any
attachments.

Thank you.

-----Original Message-----
From: seaside-bounces at lists.squeakfoundation.org
[mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf Of Colin
Putney
Sent: Thursday, June 15, 2006 1:28 PM
To: The Squeak Enterprise Aubergines Server - general discussion.
Subject: Re: [Seaside] Session (in)security?


On Jun 15, 2006, at 2:07 PM, Boris Popov wrote:

> Fair enough of a question. Here's one stab at the least argument- 
> provoking
> answer :)
>
> If somebody stands over my shoulder, the password fields are  
> (typically)
> masked (*****) whereas the address bar of the browser isn't.

Well, if you want to password protect your app, you can do that. If  
you want to rely on capability security with session keys, you have  
to be careful about distributing the capability. Seaside gives you a  
range of options for managing the security of your apps. What's wrong  
with that?

Colin
_______________________________________________
Seaside mailing list
Seaside at lists.squeakfoundation.org
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3370 bytes
Desc: not available
Url : http://lists.squeakfoundation.org/pipermail/seaside/attachments/20060615/89efada8/smime-0001.bin

More information about the Seaside mailing list