[Seaside] Avi, why did the semantics for #urlForAction: change?

Nevin Pratt nevin at bountifulbaby.com
Thu Nov 23 08:34:15 UTC 2006 

Why did the semantics for #urlForAction: change?

In Seaside 2.3, as flow advanced to the next Seaside page/component, I 
could wrap that page easily for SSL using Stunnel thus:

   url := html urlForAction: [self call: MySecureComponent new].
   self session returnResponse: (WARedirectResponse location: 
'https://mylocalhostname', url).

When the user's browser got this redirect, it would redirect to "https" 
(port 443) instead of "http" (port 80), but would otherwise use the 
complete session URL, and would connect right back to the same machine.  
Then, stunnel would be listening on port 443, do it's SSL thing, and 
forward to port 80, where Seaside would be listening.

In Seaside 2.6, at first there seemed to be just a minor change, and the 
following code looked like it would do the same thing as above did in 2.3:

   url := html urlForAction: [self call: MySecureComponent new].
   self session returnResponse: (WAResponse redirectTo: 
'https://mylocalhostname', url).

But it doesn't work. 

There are multiple reasons why it no longer works, but one of those 
reasons is that #urlForAction: now returns the fully qualified host URL 
(including the leading 'http://') rather than just the path (everything 
from '/seaside' on).

Playing string games with the url seems to be pointless, too, because it 
*looks* like if the session keys (everything from '/seaside' onward) are 
reused, Seaside will insist that the url comes from the same original 
source.

In other words, I can change the "http" to an "https" in the redirect 
string all I want, and Seaside will put it right back to an "http" when 
the request comes back, if I am using session keys that were originally 
generated from the "http" location.

Hmm, come to think of it, maybe you've done something to eliminate 
session hijacking, and your "fix" is causing this issue, too?

In any case, it looks like Seaside/Comanche/stunnel is no longer 
sufficient, and it is beginning to look like I'm going to need to use 
Apache and mod_ssl with Seaside, instead of just using Comanche/stunnel 
without Apache.

And again, the reason I can no longer just use Seaside/Comanche with 
stunnel (without Apache) is because I can no longer get Seaside to 
redirect to the "https" location.  It just puts it right back to an 
"http".  Or so it appears.

Comments?

Nevin

More information about the Seaside mailing list