[Seaside] seaside sessions and http(s) - security

Liliana liliana at finworks.biz
Mon Sep 10 09:48:38 UTC 2007


We have a seaside app that is nearing deployment in GLASS; but I tested this
behaviour in Squeak with seaside 2.8a1-pmm.391 - which is the base for the
gemstone port.
The entry point of our app is a WATask, which is presenting a login form and
then - based on the access rights of the user - is building a
WASimpleNavigation with different tabs (for various combinations of access
rights) eg:
	(self session user hasUserRole: Administrator)
		ifTrue: [navigationMenu add: InterestCalculatorForm new
label: 'Interest calculator']
	(self session user hasUserRole: UserAdministrator)
		ifTrue: [navigationMenu add: UserPage new label: 'User
				 add: AuditDataPage new label: 'Audit data']

If one is logged in as user1 on browser1 and pastes in the browser a url
copied from browser2/user2 - he then gets the whole session rights and tabs
of user2. This appears to me as if the first user gets hold of the whole
session object of the second user. Is the seaside session re-build inside
the image from the url?
Is there some way of protecting against such a url copy and paste? 


Liliana Ivan
liliana at finwork.biz
(27) 12 663 3140
Finworks <http://www.finworks.biz/>

More information about the seaside mailing list