[Seaside] Passing links around - a security issue?
jens at axonspace.com
Wed Jan 24 18:23:48 UTC 2007
Ramon Leon wrote:
>> -----Original Message-----
>> From: seaside-bounces at lists.squeakfoundation.org
>> [mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf
>> Of Jens Pall
>> Sent: Wednesday, January 24, 2007 5:49 AM
>> To: The Squeak Enterprise Aubergines Server - general discussion.
>> Subject: [Seaside] Passing links around - a security issue?
>> One thought: Is it a security issue to pass links generated
>> by Seaside to someone else? Is it possible to hijack the
>> session this way?
>> Consider this:
>> You log on to a seaside site.
>> You copy a link from inside the site and pass it to someone
>> else (by e-mail for example).
>> That someone else clicks on your link and has gained access
>> to your session.
>> Hopefully I have this completely wrong and am just talking
>> nonsense. If not, what is the correct and safe way to pass
>> links (to internal
>> sources) to external parties?
> This isn't just a Seaside thing, it's an issue with any framework that
> enables cookieless sessions. As with those other frameworks, you can choose
> to keep the session id in the url, or in the cookie. Seaside is no
> different than other frameworks in this regard other than that it defaults
> to cookie less mode where most frameworks default to cookie based sessions.
> Ramon Leon
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
Yes, of course - silly me. I was so engrossed in the specific way
Seaside encodes the url that I forgot to think about this in a more
general way. Thanks for putting me straight.
More information about the Seaside