[Seaside] Session (in)security?
Adrian Lienhard
adi at netstyle.ch
Fri Jun 16 09:57:56 UTC 2006
On Jun 16, 2006, at 11:16 , Bert Freudenberg wrote:
[..]
> Anyone starting with Seaside rightfully wonders about those funny
> URLs, and if it is explained thoroughly what these mean, the
> security implications are obvious.
I agree, but are the implications really that obvious (because, as
usual, they are not explained)...
What nobody mentioned so far is not only the problem when you mail an
URL to somebody but the much more subtle transfer of an URL by the
referer field in the HTTP header. If you have links in your
application that point to some other web site, your URL is disclosed
to this server (the referer field is typically added to the log files).
Adrian
More information about the Seaside
mailing list