There was an interesting question raised on the Seaside list, today. I have pasted the thread below. Basically, if you share a URL with someone, they can potentially take over your seaside session. There are ways around the problem, but it is important to note for the future.
>
> hey, guys..
>
> one quick question after watching the seaside movie last night..
>
> pretend i have an application like ebay written in seaside..
>
> so, i log into my account..
>
> check my bids..
>
> then, i do a search for something..
>
> during that search, i find something my friend would really like..
>
> so i send the link to my friend..
>
> now.. suppose he immediately clicks it (i sent it over IM..)
>
> does he now have full access to my session, including my account
> information?
Unless you take action to prevent it, yes. This problem isn't unique
to Seaside, of course; any system with session keys in URLs will be
have the same problem. You can, of course, configure the session key
to be stored in cookies, which eliminates the problem. Or you can use
a WASessionProtector to prevent the IP address of the user from
changing.
Note that in either case, you would need to make sure to include
enough information in the URL via #updateUrl: that a new session could
be built pointing to the right item.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment