> > > Hello, two questions about Seaside sessions: > > > > > > 1) URL sharing between different users - what if "boss" shares URL from > > his browser and send it to another regular user - of course, easy way, > > whole URL with session (_s=xxxx) - when another/regular user opens that > > link -> whole "boss" session opens in regular user's browser, with all > > "boss" permissions, UI state etc etc - very bad, is there any solution for > > this? Rewrite every (!) URL with updateURL: is not solution :( > > > > If this is a concern, you can use a cookie for session tracking, but that > > means you cannot have multiple Seaside sessions running in the same browser > > at the same time. > > > > There are probably other ways, but I think the solution is not to rely on > > a session key for authentication. > > Here’s a strategy: > > Keep the Seaside session key in the url for session tracking but use an > > authorization cookie for authorization. Put that cookie when the user logs > > in and check its presence when requests come in for a session. > > I think that using a filter for that is a good choice. > > > > Whenever another user copy/pastes the url, he cannot ‘hijack’ the session > > because he lacks the correct authentication cookie. > > > > > That's exactly what I did in my case. And the way to implement that was > with a custom session tracker that dealt with the cookie plus a filter for > the checking and kickout. > > I can share this if someone wants it (I think I already shared it before)
Other beginners with Pharo/Seaside might appreciate if it was standard part of Seaside. In standard Seaside package, there is for example class WAIPSessionTrackingStrategy, it's nice as example, but unusable in real world. Your session tracking strategy is definitely more useful - can you share? Can you share with Seaside developers? :) > > > 2) What is the actual way for "session expiration/login page"? There is > > few tutorials and books on the inet - but info about session expiration is > > obsolete :( Methods from tutorials not exists in Seaside 3.2.0. > > > Some trick with WAApplication subclass is actual? > > > > I’m not sure what the question is. Do you want to redirect users to a page > > whenever the session is expired? > > > > cheers > > Johan > > > -- > Mariano > http://marianopeck.wordpress.com
