[Seaside] Programmatically replacing a session with a new session

Nevin Pratt nevin at bountifulbaby.com
Wed Apr 22 07:15:43 UTC 2009

Again, just to follow up on my own post, right now I just do a

   ^self session redirectTo: SystemResources machine , self 
currentRequest nativeRequest url

And of course, the url had been previously built via #updateUrl:

That means if I detect a session hijacking, I redirect the hijacker.  
But it leaves the original "authentic" user alone, since it is just the 
hijacker that gets redirected.


> If a Seaside site detects a possibly hijacked session, it would be 
> nice to programmatically replace their session with a new session, and 
> otherwise continue.  I realize that enough information would have to 
> exist in the URL so that a new session could be built pointing to the 
> right point in the website, but that's not the problem for me.
> I'm not sure how to programmatically, and transparently, replace a 
> session with a new session, so that the user doesn't otherwise even 
> know that it happened.  Right now I immediately expire the session, 
> and so they get the usual "session has expired" message, with the web 
> app (by itself) then goes to the app entry point with a new session.
> How do I make this process more transparent, so that the user isn't 
> even aware that the session has been switched out from under them?
> Nevin
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

More information about the seaside mailing list