Hey Roja, > Out of interest, how easy is it to fake a session? The reason i ask is that > i adore the simplicity of your aforementioned login from a static page > especially aligned to https however say a malicious user becomes aware of a > logged in user-session, how difficult would it be for the malicious user to > falsify the logged in users session? Does the framework check against ip for > verification of the session as well as cookies/url?
If the hacker knows the session ID, he is in. Checking against the IP does not work since some users constantly switch IPs (i.e. they have multiple NATs?) -- we did this in early version of Wt and had to drop that. Because of the importance of the session ID, on platforms with support for secure (cryptographic or high entropy) random generators, we use them (this is currently the case for Linux and Win32). If you want to prevent that a hacker can eavesdrop on the session ID, you currently should use a secure (HTTPS) connection throughout the entire application. Perhaps, if there is enough interest, in the future we might support a system where during initialization not only a session ID but a second secure random token is exchanged. The latter could then be used as a token generating device within the browser, where for each request the next "one-time password" is exchanged. > In addition, i was reading about the issues with the license of the current > EXTjs solution. jQuery may offer a replacement library (skinable to look > identical to EXTjs.) To my understanding, jQuery provides many utility functions for manipulating the DOM, but almost no widgets like ExtJS (with the exception of a handful, all of which have native implementations in Wt)? Our current plan is to improve the native widgets in Wt, so that the added value of ExtJS becomes less over time. For example, that is why we added client-side validation support to our WValidator's even when used in conjunction with plain WFormWidgets. Next up are WTextEdit, WTableView, and the layout machinery. > Finally, can multiple ex apps run on the same domain without session issues? > i.e. 1) whatever.com/ 2) whatever.com/admin where the public and admin > webapps are entirely seperate wt instances? You mean like in the wt homepage where all examples run alongside with the homepage itself? Because we do not use cookies (by default) for session management, a single user can even start two sessions of the same application, so there is absolutely no cross-talk between sessions in the same domain. But even using cookies for session management, there would be no problem, as the cookie encodes the exact application path. Regards, koen ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ witty-interest mailing list witty-interest@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/witty-interest
