[Seaside] Passing links around - a security issue?
Bany, Michel
mbany at cincom.com
Wed Jan 24 18:32:53 UTC 2007
On the other hand, if this is a critical security issue, it might be
possible
to navigate the object graph (session -> currentRequest -> nativeRequest
and so on)
and get the peer's ip address and restrict the session to that specific
ip address.
I must admit that this is just an idea to explore, I never tried it.
Michel
> -----Original Message-----
> From: seaside-bounces at lists.squeakfoundation.org
> [mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf
> Of Ramon Leon
> Sent: mercredi, 24. janvier 2007 19:10
> To: 'The Squeak Enterprise Aubergines Server - general discussion.'
> Subject: RE: [Seaside] Passing links around - a security issue?
>
> > -----Original Message-----
> > From: seaside-bounces at lists.squeakfoundation.org
> > [mailto:seaside-bounces at lists.squeakfoundation.org] On
> Behalf Of Jens
> > Pall
> > Sent: Wednesday, January 24, 2007 5:49 AM
> > To: The Squeak Enterprise Aubergines Server - general discussion.
> > Subject: [Seaside] Passing links around - a security issue?
> >
> > Hi
> >
> > One thought: Is it a security issue to pass links generated
> by Seaside
> > to someone else? Is it possible to hijack the session this way?
> >
> > Consider this:
> >
> > You log on to a seaside site.
> > You copy a link from inside the site and pass it to someone
> else (by
> > e-mail for example).
> > That someone else clicks on your link and has gained access to your
> > session.
> >
> > Hopefully I have this completely wrong and am just talking
> nonsense.
> > If not, what is the correct and safe way to pass links (to internal
> > sources) to external parties?
> >
> > Thanks,
> > JP
>
> This isn't just a Seaside thing, it's an issue with any
> framework that enables cookieless sessions. As with those
> other frameworks, you can choose to keep the session id in
> the url, or in the cookie. Seaside is no different than
> other frameworks in this regard other than that it defaults
> to cookie less mode where most frameworks default to cookie
> based sessions.
>
> Ramon Leon
> http://onsmalltalk.com
>
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
More information about the Seaside
mailing list