[Seaside] sharing sessions through links..

John Thornborrow john at pinesoft.co.uk
Tue Oct 28 17:30:09 UTC 2008 

How about something like AES encrypting the session id in the URI, and
storing the AES key in the cookie?

Dave Bauer wrote:
> On Tue, Oct 28, 2008 at 12:59 PM, Julian Fitzell <jfitzell at gmail.com> wrote:
>   
>> On Tue, Oct 28, 2008 at 5:37 PM, David Farber <dfarber at numenor.com> wrote:
>>     
>>> On Oct 27, 2008, at 5:15 PM, Julian Fitzell wrote:
>>>
>>>       
>>>> The last (which is what Randal was suggesting) is probably the most
>>>> reasonable compromise in that you can leave the session key in the URL
>>>> and therefore have multiple sessions open and passing the URL to
>>>> somebody else doesn't give them access to the session. This (over SSL)
>>>> is probably pretty secure. But you still can't decide that the site
>>>> isn't working in Firefox and copy and paste the link over to IE.
>>>>
>>>> Without some way to actually confirm the identity of the user behind
>>>> the keyboard, of course, we have no choice but to make a compromise
>>>> somewhere.
>>>>         
>>> Forgive me if I am ignorantly suggesting something that won't work in
>>> Seaside, but I would try this:
>>>
>>> 1) Keep a token identifying the user in a cookie.
>>> 2) Leave the session info in the url.
>>>
>>> Since the session is still in the url, you can still have multiple sessions
>>> in the same browser.  And since the user token is in a cookie, I can paste
>>> the URL into any browser where I've already authenticated.
>>>       
>> Well that's basically what Randal was suggesting and is, I think, the
>> best we can do currently. It still only identifies the browser,
>> though: if a user walks away from the browser or someone sniffs the
>> cookie value, we have no way of knowing that it isn't the same user
>> anymore. Always using the same key for a particular user does have the
>> nice property that they can move sessions between browsers but at the
>> additional risk that you now want that cookie to persist for a much
>> longer period of time which is bad if the token does get captured.
>>
>>     
> Hi, I have been lurking for a long time, interested in seaside, but
> working with other web apps right now. That said, I have experience
> developing this type of system. The fact that the session identifier
> is not in a cookie doesn't really matter here. You need two cookies
> anyway. One for user identity and one for session identity. This way
> you can timeout a session, for example and require reauthentication,
> or require reauthentication for certain actions, such as amazon.com.
> Of course the exact details depend on your application.
>
> You could combine the user identity token with session checking to
> timeout a session, or require re-authentication after a certain time
> period. Obviously those settings depend on the exact security
> requirements of your application. I'd suggest using a hashed value in
> the identity cookie and to vary the cookies value randomly. Of course
> this again depends on the exact security requirements of your
> application, but in general it's a good idea.
>
> Dave
>
>   
>> Julian
>> _______________________________________________
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>>
>>     
>
>
>
>   


******************************************************************************************************************************************
This email is from Pinesoft Limited. Its contents are confidential to the intended recipient(s) at the email address(es) to which it has been addressed. It may not be disclosed to or used by anyone other than the addressee(s), nor may it be copied in anyway. If received in error, please contact the sender, then delete it from your system. Although this email and attachments are believed to be free of virus, or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by Pinesoft for any loss or damage arising in any way from receipt or use thereof. *******************************************************************************************************************************************


Pinesoft Limited are registered in England, Registered number: 2914825. Registered office: 266-268 High Street, Waltham Cross, Herts, EN8 7EA

More information about the seaside mailing list