On Wed, Sep 21, 2016 at 11:50 AM, Johan Brichau <jo...@inceptive.be> wrote:
> > > On 21 Sep 2016, at 12:31, Petr Fischer <petr.fisc...@me.com> wrote: > > > > Hello, two questions about Seaside sessions: > > > > 1) URL sharing between different users - what if "boss" shares URL from > his browser and send it to another regular user - of course, easy way, > whole URL with session (_s=xxxx) - when another/regular user opens that > link -> whole "boss" session opens in regular user's browser, with all > "boss" permissions, UI state etc etc - very bad, is there any solution for > this? Rewrite every (!) URL with updateURL: is not solution :( > > If this is a concern, you can use a cookie for session tracking, but that > means you cannot have multiple Seaside sessions running in the same browser > at the same time. > > There are probably other ways, but I think the solution is not to rely on > a session key for authentication. > Here’s a strategy: > Keep the Seaside session key in the url for session tracking but use an > authorization cookie for authorization. Put that cookie when the user logs > in and check its presence when requests come in for a session. > I think that using a filter for that is a good choice. > > Whenever another user copy/pastes the url, he cannot ‘hijack’ the session > because he lacks the correct authentication cookie. > > That's exactly what I did in my case. And the way to implement that was with a custom session tracker that dealt with the cookie plus a filter for the checking and kickout. I can share this if someone wants it (I think I already shared it before) > > 2) What is the actual way for "session expiration/login page"? There is > few tutorials and books on the inet - but info about session expiration is > obsolete :( Methods from tutorials not exists in Seaside 3.2.0. > > Some trick with WAApplication subclass is actual? > > I’m not sure what the question is. Do you want to redirect users to a page > whenever the session is expired? > > cheers > Johan > -- Mariano http://marianopeck.wordpress.com
