[Seaside] Passing links around - a security issue?

[Boris Popov]

I use it on VisualWorks with swazoo, works fine. Still have to consider the fact that most networks are nat'ed so its not a complete solution, but it helps. We also use cookies for session tracking, so its a little harder to pick up a session on a different computer.

Cheers!

-Boris
(Sent from a BlackBerry)

----- Original Message -----
From: seaside-bounces at lists.squeakfoundation.org <seaside-bounces at lists.squeakfoundation.org>
To: The Squeak Enterprise Aubergines Server - general discussion. <seaside at lists.squeakfoundation.org>
Sent: Thu Jan 25 00:37:15 2007
Subject: Re: [Seaside] Passing links around - a security issue?


On 24 Jan 2007, at 20:37 , Lukas Renggli wrote:

>> On the other hand, if this is a critical security issue, it might be
>> possible
>> to navigate the object graph (session -> currentRequest ->  
>> nativeRequest
>> and so on)
>> and get the peer's ip address and restrict the session to that  
>> specific
>> ip address.
>>
>> I must admit that this is just an idea to explore, I never tried it.
>
> Back in 2004 I implemented a decoration class called
> WASessionProtector to Seaside that does exactly that. Added around the
> root component it remembers the IP from the first request and only let
> subsequent requests pass that origin from the same IP. Of course this
> does not provide an absolute security, but it is much more than doing
> nothing.

Cool! I just saw it in the base Seaside package and it is also in the  
VW port.
However I do not know if this works in VW. Has anyone tried it  in  
WebToolkit?
In Swazoo?

Michel.

_______________________________________________
Seaside mailing list
Seaside at lists.squeakfoundation.org
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20070125/3c520a86/attachment-0001.htm