Randal L. Schwartz
merlyn at stonehenge.com
Sun May 3 02:40:18 UTC 2009
>>>>> "Ross" == Ross Boylan <RossBoylan at stanfordalumni.org> writes:
Ross> If I have data that I want to be sure can only be seen by specific
Ross> users, is there a way to do that in Seaside?
Ross> All the previous discussion I've seen on this list concerns session
Ross> security. While that is necessary, it is not sufficient. My concern is
Ross> more that someone with a legitimate session could use it to get at
Ross> something unauthorized.
There's two levels to this:
(a) the interaction between the browser and server
(b) how the server interprets this data for authentication and authorization
If the session needs to be secure, "a" better be over SSL. Otherwise, anyone
who can sniff can replay (although for only 10 minutes in Seaside by default,
and even that might not be useful). And if "a" is secure, standard practices
for "b" will suffice. The session key is reasonably secure, although you
could increase its length if you're excessively paranoid.
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
More information about the seaside