Carsten Ziegeler wrote:
-----Original Message-----
From: Vadim Gritsenko [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 3:23 PM
To: [EMAIL PROTECTED]
Subject: Re: Possible security problem with flowscript
Carsten Ziegeler wrote:
So what are we going to do about this?
Discussion of this mostly moved to bugzilla #31676.
Which is not a good place to discuss :)
So I will repeat my proposal here. My idea is to implement (nearly done) a continuations manager that has 3 levels of security:
- standard (current functionality)
- continuations invalidated along with session, still the continuation is reachable from other sessions (or no session at all)
- fully isolated. only the session that created the continuation can access it.
For my web applications I would surely go for for full isolation so I would like to have this option in cocoon core (so I do not have to patch every of my projects).
Is there any sense to bind continuations to the sitemap? Vadim?
I don't have objections against it. It probably makes sense to always bind continuations at least to the sitemap instance. Binding to session should be optional.
Vadim
