[Seaside] Passing links around - a security issue?
Michel Bany
michel.bany at gmail.com
Thu Jan 25 08:37:15 UTC 2007
On 24 Jan 2007, at 20:37 , Lukas Renggli wrote:
>> On the other hand, if this is a critical security issue, it might be
>> possible
>> to navigate the object graph (session -> currentRequest ->
>> nativeRequest
>> and so on)
>> and get the peer's ip address and restrict the session to that
>> specific
>> ip address.
>>
>> I must admit that this is just an idea to explore, I never tried it.
>
> Back in 2004 I implemented a decoration class called
> WASessionProtector to Seaside that does exactly that. Added around the
> root component it remembers the IP from the first request and only let
> subsequent requests pass that origin from the same IP. Of course this
> does not provide an absolute security, but it is much more than doing
> nothing.
Cool! I just saw it in the base Seaside package and it is also in the
VW port.
However I do not know if this works in VW. Has anyone tried it in
WebToolkit?
In Swazoo?
Michel.
More information about the Seaside
mailing list