Hi Tomas,

> I agree with José, I think the URL handling in PicoLisp is broken.
> 
> > The main purpose of an URL is not to copy/paste it, and usually
> > mistakes like the above one can be easily avoided.
> 
> Copy and pasting URL is one of the most important features.

Copying session-URLs is not typical. A session in an application is a
very local issue, which is normally not copied. Such URLs don't make
sense in a context outside of the application, as they depend on the
state of the virtual gui components on the server.

The Wiki is special in this regard. It is not a typical PicoLisp
application.


> It should
> uniquely identify a resource after all.  In this case it completely
> failed to identify the wiki page.

Yes! And a resource in an application's session is very different from a
resource in a static web page. A session should never be identified from
the outside.



> What you didn't mention for example, is that keeping session in the URL
> makes it visible to all sorts of middle men and logged who knows where.

The session runs over HTTPS, of course. If not, the application setup is
broken.

Again, the wiki is not typical here.

A cookie in a browser is much less safe, because it is not so obvious to
the user. Can he be sure it is removed when he closes the browser? What
if he uses the application from an internet cafe?


I feel much better and safe with a session ID embedded in the URL,
because I can _see_ it.

And if I really can't avoid copy/pasting it, I can easily remove the
session id part. Only if I'm sure about what I'm doing, of course,
because as I said in most cases the URL of a page in a session makes
absolutely no sense outside that session.


> On the whole, if PicoLisp implements this strategy using session in the
> URL, it should also include a fallback that would cope with expired
> sessions

How? An expired session is a terminated process. All context of that
session is gone.

> and identify correct pages.  We had the discussion some time
> ago.  This fallback might have to be application specific thing so maybe
> the wiki software is broken from this point of view, not sure.

Yes, I simply used the existing mechanisms, though a wiki is not a
typical application. That wiki was a quick-and-dirty hack, within a few
days, to get something running after the old wiki failed.

Everybody is free to change it. The sources are available.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Reply via email to