<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">They only way I can think of is to store a session id in the browser sessionStorage, which is unique to each tab.</div><div class="">However, I do not think anyone has done so yet.</div><div class=""><br class=""></div>The question that pops to my mind is: why do you want to hide the _s in the url? If this is about security, it’s probably because you do not want someone to copy/paste the url and hijack the session?<div class="">You can prevent that by not using the session to track authentication, but a cookie. In other words:</div><div class="">- use a cookie for authentication (i.e. always require the cookie to be present)</div><div class="">- keep _s for session tracking</div><div class="">-> a user will need both the session id in the url _and_ the cookie to work<br class=""><div class=""><div class=""><div class=""><br class=""></div><div class="">But perhaps there is another reason to keep the _s out of the url?</div><div class=""><br class=""></div><div class="">cheers</div><div class="">Johan</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 01 Oct 2015, at 15:20, Mariano Martinez Peck <<a href="mailto:marianopeck@gmail.com" class="">marianopeck@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi guys, <div class=""><br class=""></div><div class="">I am evaluating some improvements for an app, and I would like these 2 features:</div><div class=""><br class=""></div><div class="">1) Do not expose _s in URL </div><div class="">2) I want to be able to open multiple different seaside sessions from different tabs of the browser. </div><div class=""><br class=""></div><div class="">I was checking the WACookieSessionTrackingStrategy subclasses but of course that is not gonna work because if I have multiple sessions opened in the browser, at #cookieFromContext:ifAbsent: there is no way I can guess which is the real session I must answer for that request. </div><div class="">I am not against using cookies, but I cannot see how that could work. Anyone has a workaround?</div><div class=""><br class=""></div><div class="">As a second thought, I saw WASslSessionTrackingStrategy (my site does run with HTTPS over nginx) which looked interesting. Has someone used this before? I have read a couple of problems with it:<br clear="all" class=""><div class=""><br class=""></div><div class=""><div class=""><i class="">"<span class="" style="white-space:pre"> </span>An interval that is too short can cause a premature termination of a session.</i></div><div class=""><i class="">Also, some Web browsers might have their own timers that affect the lifetime of the SSL session ID. These Web browsers may not leave the SSL session ID active long enough to serve as a useful mechanism for session tracking.</i></div><div class=""><i class="">"</i></div></div><div class=""><br class=""></div><div class="">I seems the timeout can be easily set in nginx. But I am wondering about what it says about browsers killing inactive SSL sessions IDs. Have anyone experienced this?</div><div class=""><br class=""></div><div class="">Thanks in advance, </div><div class=""><br class=""></div>-- <br class=""><div class="gmail_signature">Mariano<br class=""><a href="http://marianopeck.wordpress.com/" target="_blank" class="">http://marianopeck.wordpress.com</a><br class=""></div>
</div></div>
_______________________________________________<br class="">seaside mailing list<br class=""><a href="mailto:seaside@lists.squeakfoundation.org" class="">seaside@lists.squeakfoundation.org</a><br class="">http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside<br class=""></div></blockquote></div><br class=""></div></div></div></div></body></html>