Sylvain Wallez wrote:
Leszek Gawron wrote:
Is it possible (due to security reasons) to tie every continuation to
a particular user session? This way noone could "hack" into the
application by using an url from history. I have problems with my
application because it allows to run a continuation even if user has
logged out. If continuations were bound to a particular session
destroying the session would invalidate ALL of them - which is much
better solution than invalidating each by hand in flowscript.
I found this problem and I really have no idea how I could fix this.
Right now it looks like this:
<snip what="code"/>
The problem is : I cannot wrap <map:call continuation/> with some
session validator action because I do not know if this continuation
does not belong to login procedure (this way I would block access to
entering data into login form - total security ! :)).
I would like to keep the application logic intact so every
/baseURL/callSomeFunction.do would show a login form first and then
continue to appropriate page (if user has not been authenticated before).
Please comment.
Well, IMO the only clean way to achieve this is to have a continuations
manager that automatically binds new continuations to the current
session, thus making fully isolated continuation groups.
I proposed this some time ago [1] for other purposes but hadn't the time
up to now to actually write it. Want to write it?
If you gave me a few hints what should be changed - I will do it.
--
Leszek Gawron [EMAIL PROTECTED]
