Mariano
It would be cool.
Why don't you paste it on your blog?
I hope to get back to the seaside book one of these days and I would
like to add such tips and tricks
Stef
Le 21/9/16 à 18:00, Mariano Martinez Peck a écrit :
On Wed, Sep 21, 2016 at 11:50 AM, Johan Brichau <jo...@inceptive.be
<mailto:jo...@inceptive.be>> wrote:
> On 21 Sep 2016, at 12:31, Petr Fischer <petr.fisc...@me.com
<mailto:petr.fisc...@me.com>> wrote:
>
> Hello, two questions about Seaside sessions:
>
> 1) URL sharing between different users - what if "boss" shares
URL from his browser and send it to another regular user - of
course, easy way, whole URL with session (_s=xxxx) - when
another/regular user opens that link -> whole "boss" session opens
in regular user's browser, with all "boss" permissions, UI state
etc etc - very bad, is there any solution for this? Rewrite every
(!) URL with updateURL: is not solution :(
If this is a concern, you can use a cookie for session tracking,
but that means you cannot have multiple Seaside sessions running
in the same browser at the same time.
There are probably other ways, but I think the solution is not to
rely on a session key for authentication.
Here’s a strategy:
Keep the Seaside session key in the url for session tracking but
use an authorization cookie for authorization. Put that cookie
when the user logs in and check its presence when requests come in
for a session.
I think that using a filter for that is a good choice.
Whenever another user copy/pastes the url, he cannot ‘hijack’ the
session because he lacks the correct authentication cookie.
That's exactly what I did in my case. And the way to implement that
was with a custom session tracker that dealt with the cookie plus a
filter for the checking and kickout.
I can share this if someone wants it (I think I already shared it before)
> 2) What is the actual way for "session expiration/login page"?
There is few tutorials and books on the inet - but info about
session expiration is obsolete :( Methods from tutorials not
exists in Seaside 3.2.0.
> Some trick with WAApplication subclass is actual?
I’m not sure what the question is. Do you want to redirect users
to a page whenever the session is expired?
cheers
Johan
--
Mariano
http://marianopeck.wordpress.com
