[Seaside] sharing sessions through links..
David Farber
dfarber at numenor.com
Tue Oct 28 16:37:29 UTC 2008
On Oct 27, 2008, at 5:15 PM, Julian Fitzell wrote:
> The last (which is what Randal was suggesting) is probably the most
> reasonable compromise in that you can leave the session key in the URL
> and therefore have multiple sessions open and passing the URL to
> somebody else doesn't give them access to the session. This (over SSL)
> is probably pretty secure. But you still can't decide that the site
> isn't working in Firefox and copy and paste the link over to IE.
>
> Without some way to actually confirm the identity of the user behind
> the keyboard, of course, we have no choice but to make a compromise
> somewhere.
Forgive me if I am ignorantly suggesting something that won't work in
Seaside, but I would try this:
1) Keep a token identifying the user in a cookie.
2) Leave the session info in the url.
Since the session is still in the url, you can still have multiple
sessions in the same browser. And since the user token is in a
cookie, I can paste the URL into any browser where I've already
authenticated.
David
More information about the seaside
mailing list