[Seaside] Session (in)security?

Colin Putney cputney at wiresong.ca
Fri Jun 16 00:21:43 UTC 2006

On Jun 15, 2006, at 4:37 PM, Boris Popov wrote:

> Oh I didn't say there was anything wrong with that, it just seemed  
> weird
> that one could copy the url from one machine to the other and pick  
> up an
> exact same session. By the way, password was just an example, not  
> related to
> the session key issue. Obviously our app is password protected as  
> well, but
> with url copying, all you need is a url of a logged-in user and  
> you're good
> to go whereas with a cookie you have to try much harder. I settled on
> basically using both cookie setting and WASessionProtector, but was  
> just
> wondering if cookie setting shouldn't be on by default for ignorant  
> seaside
> beginners like myself, that's all :)

I guess I should have been more precise. If you use HTTP  
authentication, then you'd need both a session key *and* a valid  
login and password. If you only require login to start a session,  
then yeah, a session key is enough to hijack the session.


More information about the Seaside mailing list