DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=31676>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31676 [PATCH] HolderAwareContinuationsManagerImpl Summary: [PATCH] HolderAwareContinuationsManagerImpl Product: Cocoon 2 Version: Current CVS 2.1 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: core AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] This is a continuations manager that stores continuations in session. This is very useful for secure web applications. I already had complaints from clients that they are able to invoke a continuation even after logging out and invalidating the session. This might be a big security risk. There might be different solutions to this problem (aspects in flow for example) but this one is the simplest. I had most of these problems using Firefox which aggresively caches content disregarding caching headers. The solution is simple: store continuations in session. This way user can access only own continuations. Session invalidation effectively removes all continuations associated with that session. Please review my code. Implementation comments: - I have not implemented instrumentation yet. - the manager does not log anything right now (yet) - I provided a little patch for WebContinuation (add a helper method detachFromParent) - continuations are stored in WebContinuationsHolder - WebContinuation had to be extended with the knowledge of it's holder - HolderAwareWebContinuation. This is needed for automatic kont expiration (manager has to know which holder to remove kont from) - the continuation ids are not securely generated yet. These are just long integers being incremented for each continuation. To be honest there is no need for such strong continuation id hashing as they are secured by session id now. Maybe it is good to generate user unreadable continuation ids so users do not play with it :) To use new continuations manager please edit your cocoon.roles file for now and change the role for o.a.c.components.flow.ContinuationsManager Is there a possibility to put this code into official release and provide a way to choose a continuations manager from build.properties file? This way user could choose to use simple continuation management that allows continuation sharing or the secure one.
