[Seaside] sharing sessions through links..

Julian Fitzell jfitzell at gmail.com
Mon Oct 27 23:15:30 UTC 2008

On Mon, Oct 27, 2008 at 10:45 PM, David Pennell <pennell.david at gmail.com> wrote:
> Wouldn't filtering on IP addresses would be problematic for multi-user
> hosts?
> -david

Like a NAT? It certainly wouldn't be effective in that case. :)

The problem is there is currently no way to check that we have the
right *user*. We can check if they have the right *session token* in
the URL but users pass those around. We can put the *same token* in a
cookie but then you can't have multiple sessions in different tabs. We
can check an IP address but that isn't entirely secure and is
problematic if the user gets disconnected from their VPN or whatever
and gets a new IP. We can check if they have the right *browser* by
profiling the headers sent by the browser or adding another cookie.

The last (which is what Randal was suggesting) is probably the most
reasonable compromise in that you can leave the session key in the URL
and therefore have multiple sessions open and passing the URL to
somebody else doesn't give them access to the session. This (over SSL)
is probably pretty secure. But you still can't decide that the site
isn't working in Firefox and copy and paste the link over to IE.

Without some way to actually confirm the identity of the user behind
the keyboard, of course, we have no choice but to make a compromise


More information about the seaside mailing list