[Seaside] Passing links around - a security issue?

Jens Pall jens at axonspace.com
Wed Jan 24 18:23:48 UTC 2007

Ramon Leon wrote:
>> -----Original Message-----
>> From: seaside-bounces at lists.squeakfoundation.org 
>> [mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf 
>> Of Jens Pall
>> Sent: Wednesday, January 24, 2007 5:49 AM
>> To: The Squeak Enterprise Aubergines Server - general discussion.
>> Subject: [Seaside] Passing links around - a security issue?
>> Hi
>> One thought: Is it a security issue to pass links generated 
>> by Seaside to someone else? Is it possible to hijack the 
>> session this way?
>> Consider this:
>> You log on to a seaside site.
>> You copy a link from inside the site and pass it to someone 
>> else (by e-mail for example).
>> That someone else clicks on your link and has gained access 
>> to your session.
>> Hopefully I have this completely wrong and am just talking 
>> nonsense. If not, what is the correct and safe way to pass 
>> links (to internal
>> sources) to external parties?
>> Thanks,
>> JP
> This isn't just a Seaside thing, it's an issue with any framework that
> enables cookieless sessions.  As with those other frameworks, you can choose
> to keep the session id in the url, or in the cookie.  Seaside is no
> different than other frameworks in this regard other than that it defaults
> to cookie less mode where most frameworks default to cookie based sessions.
> Ramon Leon
> http://onsmalltalk.com  
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Yes, of course - silly me. I was so engrossed in the specific way 
Seaside encodes the url that I forgot to think about this in a more 
general way. Thanks for putting me straight.


More information about the Seaside mailing list