Niklas Eklund wrote:
Rob Berens wrote:
Carsten Ziegeler wrote:
Hmm, I might be wrong, but does this really protect you?
If you have a flow that is usable by not authenticated users,
you run into the same problem I think.
I see, you are right. A unauthorized user can get access to the
continuation
by adding the continuation parameter to another request he is authorized
for.
I have solved a similar problem in an application by using a wrapped
sendPage() like:
function w_sendPage(x, y, z) {
var currentUser = getCurrUser(); // userPrincipal/remoteUser/whatever
sendPage(x, y, z);
if (currentUser != getCurrUser()) {
throw "Bad boy!";
}
}
It's nice but does not work for cforms.
--
Leszek Gawron [EMAIL PROTECTED]
Project Manager MobileBox sp. z o.o.
+48 (61) 855 06 67 http://www.mobilebox.pl
mobile: +48 (501) 720 812 fax: +48 (61) 853 29 65
