On Wed, Sep 21, 2016 at 11:50 AM, Johan Brichau <jo...@inceptive.be> wrote:

> > On 21 Sep 2016, at 12:31, Petr Fischer <petr.fisc...@me.com> wrote:
> >
> > Hello, two questions about Seaside sessions:
> >
> > 1) URL sharing between different users - what if "boss" shares URL from
> his browser and send it to another regular user - of course, easy way,
> whole URL with session (_s=xxxx) - when another/regular user opens that
> link -> whole "boss" session opens in regular user's browser, with all
> "boss" permissions, UI state etc etc - very bad, is there any solution for
> this? Rewrite every (!) URL with updateURL: is not solution :(
> If this is a concern, you can use a cookie for session tracking, but that
> means you cannot have multiple Seaside sessions running in the same browser
> at the same time.
> There are probably other ways, but I think the solution is not to rely on
> a session key for authentication.
> Here’s a strategy:
> Keep the Seaside session key in the url for session tracking but use an
> authorization cookie for authorization. Put that cookie when the user logs
> in and check its presence when requests come in for a session.
> I think that using a filter for that is a good choice.
> Whenever another user copy/pastes the url, he cannot ‘hijack’ the session
> because he lacks the correct authentication cookie.
That's exactly what I did in my case. And the way to implement that was
with a custom session tracker that dealt with the cookie plus a filter for
the checking and kickout.

I can share this if someone wants it (I think I already shared it before)

> > 2) What is the actual way for "session expiration/login page"? There is
> few tutorials and books on the inet - but info about session expiration is
> obsolete :( Methods from tutorials not exists in Seaside 3.2.0.
> > Some trick with WAApplication subclass is actual?
> I’m not sure what the question is. Do you want to redirect users to a page
> whenever the session is expired?
> cheers
> Johan


Reply via email to