It would be cool.

Why don't you paste it on your blog?

I hope to get back to the seaside book one of these days and I would like to add such tips and tricks


Le 21/9/16 à 18:00, Mariano Martinez Peck a écrit :

On Wed, Sep 21, 2016 at 11:50 AM, Johan Brichau < <>> wrote:

    > On 21 Sep 2016, at 12:31, Petr Fischer <
    <>> wrote:
    > Hello, two questions about Seaside sessions:
    > 1) URL sharing between different users - what if "boss" shares
    URL from his browser and send it to another regular user - of
    course, easy way, whole URL with session (_s=xxxx) - when
    another/regular user opens that link -> whole "boss" session opens
    in regular user's browser, with all "boss" permissions, UI state
    etc etc - very bad, is there any solution for this? Rewrite every
    (!) URL with updateURL: is not solution :(

    If this is a concern, you can use a cookie for session tracking,
    but that means you cannot have multiple Seaside sessions running
    in the same browser at the same time.

    There are probably other ways, but I think the solution is not to
    rely on a session key for authentication.
    Here’s a strategy:
    Keep the Seaside session key in the url for session tracking but
    use an authorization cookie for authorization. Put that cookie
    when the user logs in and check its presence when requests come in
    for a session.
    I think that using a filter for that is a good choice.

    Whenever another user copy/pastes the url, he cannot ‘hijack’ the
    session because he lacks the correct authentication cookie.

That's exactly what I did in my case. And the way to implement that was with a custom session tracker that dealt with the cookie plus a filter for the checking and kickout.

I can share this if someone wants it (I think I already shared it before)

    > 2) What is the actual way for "session expiration/login page"?
    There is few tutorials and books on the inet - but info about
    session expiration is obsolete :( Methods from tutorials not
    exists in Seaside 3.2.0.
    > Some trick with WAApplication subclass is actual?

    I’m not sure what the question is. Do you want to redirect users
    to a page whenever the session is expired?



Reply via email to