continuations and session

[Leszek Gawron]

Is it possible (due to security reasons) to tie every continuation to a 
particular user session? This way noone could "hack" into the 
application by using an url from history. I have problems with my 
application because it allows to run a continuation even if user has 
logged out. If continuations were bound to a particular session 
destroying the session would invalidate ALL of them - which is much 
better solution than invalidating each by hand in flowscript.

I found this problem and I really have no idea how I could fix this. 
Right now it looks like this:

<map:resource name="resume-continuation">
        <map:act type="set-header">
                <map:parameter name="Expires" value="-1"/>
                <map:parameter name="Cache-Control" value="no-cache"/>
                <map:parameter name="Pragma" value="no-cache"/>
                <map:call continuation="{../continuation-id}"/>
        </map:act>
</map:resource>
[...]
<map:match pattern="*.do">
        <map:match type="request-parameter" pattern="continuation-id">
                <map:call resource="resume-continuation">
                        <map:parameter name="continuation-id" value="{1}"/>
                </map:call>
        </map:match>
        <map:call function="main">
                <map:parameter name="action" value="{1}"/>
                <map:parameter name="home" value="{global:baseURL}"/>
        </map:call>
</map:match>
and the flowscript follows:
function main( action, home ) {
	cocoon.response.setHeader( "Expires", "-1" );
	cocoon.response.setHeader( "Cache-Control", "no-cache" );
	cocoon.response.setHeader( "Pragma", "no-cache" );
	baseURL = home;
	cocoon.session.setAttribute( "baseURL", baseURL );
	
	if ( springContext == null ) 
		setupSpringContext();
		
	if ( cocoon.session.user == null ) {
		loginInternal();
	}
	invoke( action );
}

function invoke( action ) {
    func = this[ action ];
    if ( func != undefined )    
	    func.apply( this );
	else 
	    cocoon.sendPage( action, {} );
}
 
function loginInternal() {
	var cookieUsername = findCookie( "username" );
	var cookiePassword = findCookie( "password" );

	if ( cookieUsername != null && cookiePassword != null && cookieUsername != "" ) {
		var user = validateLoginData( cookieUsername, cookiePassword );
		if ( user != null ) { 
			cocoon.session.setAttribute( "user", user );
			// reset expiry time
			storeLoginCookies( cookieUsername, cookiePassword );
			return;
			
		}
	}
	
	var form = new Form( "forms/login-def.xml" );
	var model = form.getModel();
	
	model.username = cookieUsername;
	model.password = cookiePassword;
	form.showForm( "form/login", {} );
}
The problem is : I cannot wrap <map:call continuation/> with some 
session validator action because I do not know if this continuation does 
not belong to login procedure (this way I would block access to entering 
data into login form - total security ! :)).

I would like to keep the application logic intact so every 
/baseURL/callSomeFunction.do would show a login form first and then 
continue to appropriate page (if user has not been authenticated before).

Please comment.
--
Leszek Gawron                                      [EMAIL PROTECTED]