Sylvain Wallez wrote:
Leszek Gawron wrote:
Sylvain Wallez wrote:
This has already been identified by Leszek Gawron. Although this is an issue, it can only be exploited by hijacking a continuation ID which, if done, also means the ability to hijack the session ID and therefore the associated authorizations.
Exactly.
1. You login. 2. Do stuff. 3. Logout.
Did you forgot to invalidate continuations? Your fault. (1)
4. Even restart your computer.
5. Go to firefox cache - the page is there (still do not know why if I set caching headers properly).
Properly configured headers allow to keep stuff out of cache - works for me. http://www.mozilla.org/projects/netlib/http/http-caching-faq.html
5. http://thehost.com/myapp/showReport.do. The page loads from cache. The page content has a hidden input with valid continuation.
See (1) above.
The solution for this is the continuation-per-session manager, where a continuation ID only exists within a given session.
Would you be so kind and review my solution for this? It is not quite finished (instrumentation and debug info is not implemented) but I am very eager to polish it if it could be useful to anyone but me.
I left some comments already in the bug report.
I also like your idea of associating the sitemap ID to the continuation so that a given continuation can only be called in the sitemap that created it. As the flowscript interpreter already holds this ID, that should be pretty much straightforward.
It won't work - see my example in the other email on this subject.
How can I retrieve that ID? I could implement a test version for Carsten.
It is in AbstractInterpreter.getInterpreterID()
Vadim
