[Seaside] Passing links around - a security issue?
ramon.leon at allresnet.com
Wed Jan 24 18:10:19 UTC 2007
> -----Original Message-----
> From: seaside-bounces at lists.squeakfoundation.org
> [mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf
> Of Jens Pall
> Sent: Wednesday, January 24, 2007 5:49 AM
> To: The Squeak Enterprise Aubergines Server - general discussion.
> Subject: [Seaside] Passing links around - a security issue?
> One thought: Is it a security issue to pass links generated
> by Seaside to someone else? Is it possible to hijack the
> session this way?
> Consider this:
> You log on to a seaside site.
> You copy a link from inside the site and pass it to someone
> else (by e-mail for example).
> That someone else clicks on your link and has gained access
> to your session.
> Hopefully I have this completely wrong and am just talking
> nonsense. If not, what is the correct and safe way to pass
> links (to internal
> sources) to external parties?
This isn't just a Seaside thing, it's an issue with any framework that
enables cookieless sessions. As with those other frameworks, you can choose
to keep the session id in the url, or in the cookie. Seaside is no
different than other frameworks in this regard other than that it defaults
to cookie less mode where most frameworks default to cookie based sessions.
More information about the Seaside