[Seaside] Session (in)security?

Adrian Lienhard adi at netstyle.ch
Fri Jun 16 09:57:56 UTC 2006


On Jun 16, 2006, at 11:16 , Bert Freudenberg wrote:

[..]

> Anyone starting with Seaside rightfully wonders about those funny  
> URLs, and if it is explained thoroughly what these mean, the  
> security implications are obvious.

I agree, but are the implications really that obvious (because, as  
usual, they are not explained)...
What nobody mentioned so far is not only the problem when you mail an  
URL to somebody but the much more subtle transfer of an URL by the  
referer field in the HTTP header. If you have links in your  
application that point to some other web site, your URL is disclosed  
to this server (the referer field is typically added to the log files).

Adrian


More information about the Seaside mailing list