[Seaside] sharing sessions through links..

Julian Fitzell jfitzell at gmail.com
Tue Oct 28 16:59:47 UTC 2008

On Tue, Oct 28, 2008 at 5:37 PM, David Farber <dfarber at numenor.com> wrote:
> On Oct 27, 2008, at 5:15 PM, Julian Fitzell wrote:
>> The last (which is what Randal was suggesting) is probably the most
>> reasonable compromise in that you can leave the session key in the URL
>> and therefore have multiple sessions open and passing the URL to
>> somebody else doesn't give them access to the session. This (over SSL)
>> is probably pretty secure. But you still can't decide that the site
>> isn't working in Firefox and copy and paste the link over to IE.
>> Without some way to actually confirm the identity of the user behind
>> the keyboard, of course, we have no choice but to make a compromise
>> somewhere.
> Forgive me if I am ignorantly suggesting something that won't work in
> Seaside, but I would try this:
> 1) Keep a token identifying the user in a cookie.
> 2) Leave the session info in the url.
> Since the session is still in the url, you can still have multiple sessions
> in the same browser.  And since the user token is in a cookie, I can paste
> the URL into any browser where I've already authenticated.

Well that's basically what Randal was suggesting and is, I think, the
best we can do currently. It still only identifies the browser,
though: if a user walks away from the browser or someone sniffs the
cookie value, we have no way of knowing that it isn't the same user
anymore. Always using the same key for a particular user does have the
nice property that they can move sessions between browsers but at the
additional risk that you now want that cookie to persist for a much
longer period of time which is bad if the token does get captured.


More information about the seaside mailing list