Torsten Curdt wrote: > > > Today we came across a possible security problem when you use flow > > script. We tested the following example with 2.1.5.1 and > the current > > 2.1.x branch. Here is a simple example: > > > > We have two areas in our web application, one is available > for every > > user and one area is only accessible for authenticated users. > > We create two sub sitemaps - one for each area. Both are using flow > > with different scripts. The second sitemap is protected by > using the > > authentication framework (how the authentication is done is > actually > > not important). > > ...but that *is* important: if you would be using a flow > based authentication mechanism this is not a problem at all. > Why? If flow checks the authentication, I simply use a continuation id from an authenticated user and I'm in the application.
Carsten
