[Seaside] Passing links around - a security issue?

Bany, Michel mbany at cincom.com
Wed Jan 24 18:32:53 UTC 2007 

On the other hand, if this is a critical security issue, it might be
possible
to navigate the object graph (session -> currentRequest -> nativeRequest
and so on)
and get the peer's ip address and restrict the session to that specific
ip address.

I must admit that this is just an idea to explore, I never tried it.

Michel


> -----Original Message-----
> From: seaside-bounces at lists.squeakfoundation.org 
> [mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf 
> Of Ramon Leon
> Sent: mercredi, 24. janvier 2007 19:10
> To: 'The Squeak Enterprise Aubergines Server - general discussion.'
> Subject: RE: [Seaside] Passing links around - a security issue?
> 
> > -----Original Message-----
> > From: seaside-bounces at lists.squeakfoundation.org
> > [mailto:seaside-bounces at lists.squeakfoundation.org] On 
> Behalf Of Jens 
> > Pall
> > Sent: Wednesday, January 24, 2007 5:49 AM
> > To: The Squeak Enterprise Aubergines Server - general discussion.
> > Subject: [Seaside] Passing links around - a security issue?
> > 
> > Hi
> > 
> > One thought: Is it a security issue to pass links generated 
> by Seaside 
> > to someone else? Is it possible to hijack the session this way?
> > 
> > Consider this:
> > 
> > You log on to a seaside site.
> > You copy a link from inside the site and pass it to someone 
> else (by 
> > e-mail for example).
> > That someone else clicks on your link and has gained access to your 
> > session.
> > 
> > Hopefully I have this completely wrong and am just talking 
> nonsense. 
> > If not, what is the correct and safe way to pass links (to internal
> > sources) to external parties?
> > 
> > Thanks,
> > JP
> 
> This isn't just a Seaside thing, it's an issue with any 
> framework that enables cookieless sessions.  As with those 
> other frameworks, you can choose to keep the session id in 
> the url, or in the cookie.  Seaside is no different than 
> other frameworks in this regard other than that it defaults 
> to cookie less mode where most frameworks default to cookie 
> based sessions.
> 
> Ramon Leon
> http://onsmalltalk.com  
> 
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>

More information about the Seaside mailing list