[Seaside] seaside sessions and http(s) - security

Philippe Marschall philippe.marschall at gmail.com
Mon Sep 10 11:42:01 UTC 2007

2007/9/10, Liliana <liliana at finworks.biz>:
> Hi.
> We have a seaside app that is nearing deployment in GLASS; but I tested this
> behaviour in Squeak with seaside 2.8a1-pmm.391 - which is the base for the
> gemstone port.
> The entry point of our app is a WATask, which is presenting a login form and
> then - based on the access rights of the user - is building a
> WASimpleNavigation with different tabs (for various combinations of access
> rights) eg:
>         (self session user hasUserRole: Administrator)
>                 ifTrue: [navigationMenu add: InterestCalculatorForm new
> label: 'Interest calculator']
>         (self session user hasUserRole: UserAdministrator)
>                 ifTrue: [navigationMenu add: UserPage new label: 'User
> list';
>                                  add: AuditDataPage new label: 'Audit data']
> etc.
> If one is logged in as user1 on browser1 and pastes in the browser a url
> copied from browser2/user2 - he then gets the whole session rights and tabs
> of user2. This appears to me as if the first user gets hold of the whole
> session object of the second user. Is the seaside session re-build inside
> the image from the url?

No, the share the same session object (the value _s paramter in the
url  is used to look up the session).

> Is there some way of protecting against such a url copy and paste?

If the browsers are on different machines and not NATed then you can
use WASessionProtector (add it as a decoration to your root
component). You can also store the session key in a cookie instead of
the url.


> Thanks
> Liliana
> Liliana Ivan
> liliana at finwork.biz
> (27) 12 663 3140
> Finworks <http://www.finworks.biz/>
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

More information about the seaside mailing list