[Seaside] spooky seaside

Avi Bryant avi at dabbledb.com
Wed May 2 07:55:23 UTC 2007 

On 5/2/07, Norbert Hartl <norbert at hartl.name> wrote:
> Hi,
>
> yesterday I showed a colleague our webapp. He wondered
> about the "strange" URLs. The next thing he was starting
> to notice that the _k parameter has something linear in
> it. So he played around entering URLs as derivate from the
> URLs he got from a loaded page. After 4 attempts he got
> the WADispatcherEditor. I was shocked.

Are you sure he actually hit upon a valid _k value?  There are lots of
ways that an invalid one would have brought you by default to a
WADispatcherEditor.  For example, if the session key were valid, and
that was the last page you had seen.  Or, if he modified the URL to
include /config, where WADispatcherEditor is the root component.

The _k values are WAExternalIDs, which are 64 bit random numbers,
generated by the standard Random class.  In Squeak that's apparently a
Park-Miller generator.

The chances of hitting upon a real _k value should be astronomically
low.  You would also need to guess the right corresponding _s, which
means you're searching through a 128bit space.  On Squeak I've
certainly never spotted anything linear in the values, although maybe
your friend has an eye for it which I don't.

>
> But the _k parameter he used was
> completely different to that I had on the Dispatcher Editor.
>
> So I like to know a few things:
>
> - how is the _s and _k parameter build? Is it possible to
>   get the same page (stack pointer) with two different
>   _k parameters?

Well, sort of.  There's a _k for the callback actions, which then
immediately gets redirected to a new _k for rendering the page.
Either of those will basically get you to the same place.  But more to
the point, as I mentioned above, if the _k is totally wrong you'll get
taken a default location, which could well have been the
WADispatcherEditor.

> - What is the best way to remove WADispatcherEditor. When
>   I remove it it still has references and stays as AnObsolete.

You don't need to remove the class, just get rid of the config app.
You should be able to do that from within /config itself.

> - Where is this session protection thing and how do I enable
>   it.

I don't know, anyone?

Avi

More information about the Seaside mailing list