[Seaside] Programmatically replacing a session with a new session
Nevin Pratt
nevin at bountifulbaby.com
Wed Apr 22 07:15:43 UTC 2009
Again, just to follow up on my own post, right now I just do a
^self session redirectTo: SystemResources machine , self
currentRequest nativeRequest url
And of course, the url had been previously built via #updateUrl:
That means if I detect a session hijacking, I redirect the hijacker.
But it leaves the original "authentic" user alone, since it is just the
hijacker that gets redirected.
Nevin
> If a Seaside site detects a possibly hijacked session, it would be
> nice to programmatically replace their session with a new session, and
> otherwise continue. I realize that enough information would have to
> exist in the URL so that a new session could be built pointing to the
> right point in the website, but that's not the problem for me.
>
> I'm not sure how to programmatically, and transparently, replace a
> session with a new session, so that the user doesn't otherwise even
> know that it happened. Right now I immediately expire the session,
> and so they get the usual "session has expired" message, with the web
> app (by itself) then goes to the app entry point with a new session.
>
> How do I make this process more transparent, so that the user isn't
> even aware that the session has been switched out from under them?
>
> Nevin
>
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
More information about the seaside
mailing list