[Seaside] seaside sessions and http(s) - security
Philippe Marschall
philippe.marschall at gmail.com
Mon Sep 10 11:42:01 UTC 2007
2007/9/10, Liliana <liliana at finworks.biz>:
> Hi.
>
> We have a seaside app that is nearing deployment in GLASS; but I tested this
> behaviour in Squeak with seaside 2.8a1-pmm.391 - which is the base for the
> gemstone port.
> The entry point of our app is a WATask, which is presenting a login form and
> then - based on the access rights of the user - is building a
> WASimpleNavigation with different tabs (for various combinations of access
> rights) eg:
> (self session user hasUserRole: Administrator)
> ifTrue: [navigationMenu add: InterestCalculatorForm new
> label: 'Interest calculator']
> (self session user hasUserRole: UserAdministrator)
> ifTrue: [navigationMenu add: UserPage new label: 'User
> list';
> add: AuditDataPage new label: 'Audit data']
> etc.
>
> If one is logged in as user1 on browser1 and pastes in the browser a url
> copied from browser2/user2 - he then gets the whole session rights and tabs
> of user2. This appears to me as if the first user gets hold of the whole
> session object of the second user. Is the seaside session re-build inside
> the image from the url?
No, the share the same session object (the value _s paramter in the
url is used to look up the session).
> Is there some way of protecting against such a url copy and paste?
If the browsers are on different machines and not NATed then you can
use WASessionProtector (add it as a decoration to your root
component). You can also store the session key in a cookie instead of
the url.
Cheers
Philippe
> Thanks
> Liliana
>
>
>
> Liliana Ivan
> liliana at finwork.biz
> (27) 12 663 3140
> Finworks <http://www.finworks.biz/>
>
>
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
More information about the seaside
mailing list