1) If you share the url with the _s parameter, then you can continue
that session in other browser/machine.

This is so because by the default the application uses
WAQueryFieldHandlerTrackingStrategy as the #trackingStrategy config.
But you can override it and use any of the WAHandlerTrackingStrategy
concrete subclasses, to make it cookie based or IP based.

2) There is no special trick regarding the session, but it is true
there is no default "authentication/login" component ready to be used.
All sessions have an instance of WASession, preferably one subclass of
your own, which you must "login" or "logout" based on your own
criteria. You can modify the expiration time as well as completely
remove it explicitly by sending #unregister to the session object,
usually as part of a "logout" or "signout" method of your own.

I hope this helps.

Esteban A. Maringolo

2016-09-21 7:31 GMT-03:00 Petr Fischer <petr.fisc...@me.com>:
> Hello, two questions about Seaside sessions:
> 1) URL sharing between different users - what if "boss" shares URL from his 
> browser and send it to another regular user - of course, easy way, whole URL 
> with session (_s=xxxx) - when another/regular user opens that link -> whole 
> "boss" session opens in regular user's browser, with all "boss" permissions, 
> UI state etc etc - very bad, is there any solution for this? Rewrite every 
> (!) URL with updateURL: is not solution :(
> 2) What is the actual way for "session expiration/login page"? There is few 
> tutorials and books on the inet - but info about session expiration is 
> obsolete :( Methods from tutorials not exists in Seaside 3.2.0.
> Some trick with WAApplication subclass is actual?
> Thanks very much! pf

Reply via email to