> > Hello, two questions about Seaside sessions: > > > > 1) URL sharing between different users - what if "boss" shares URL from his > > browser and send it to another regular user - of course, easy way, whole > > URL with session (_s=xxxx) - when another/regular user opens that link -> > > whole "boss" session opens in regular user's browser, with all "boss" > > permissions, UI state etc etc - very bad, is there any solution for this? > > Rewrite every (!) URL with updateURL: is not solution :( > > If this is a concern, you can use a cookie for session tracking, but that > means you cannot have multiple Seaside sessions running in the same browser > at the same time. > > There are probably other ways, but I think the solution is not to rely on a > session key for authentication. > Here’s a strategy: > Keep the Seaside session key in the url for session tracking but use an > authorization cookie for authorization. Put that cookie when the user logs in > and check its presence when requests come in for a session. > I think that using a filter for that is a good choice. > > Whenever another user copy/pastes the url, he cannot ‘hijack’ the session > because he lacks the correct authentication cookie.
This sounds reasonable. Thanks. > > > 2) What is the actual way for "session expiration/login page"? There is few > > tutorials and books on the inet - but info about session expiration is > > obsolete :( Methods from tutorials not exists in Seaside 3.2.0. > > Some trick with WAApplication subclass is actual? > > I’m not sure what the question is. Do you want to redirect users to a page > whenever the session is expired? Yes, just ordinary redirect to login page, with proper expiration notice (when session is expired). Another question is, how to handle session expiration inside AJAX call (also with proper redirect to login page with expiration notice) - this is harder - there is some solutions, like "ping" from web browser to Seaside server, so the session never expires, but this is in conflict with my/common needs (I want session timeout with auto logouts). > cheers > Johan