Ok. I brought the topic, I'll try to explain.
This infinite redirect can happen in two cases:
1. We have buggy server, that doesn't append session to URL (or has some
other way broken session management)
2. We have malicious client that drops session identificator, either
from url or cookie while redirecting (does anybody knows such ?).
In the first case, it's administrator responsibility to make sure, that
his/her server is API-compilant, and DOES at least URL session
appending. IMHO, we may insist on it, especially because there exist
solutions like Jakarta-Tomcat - free, robust, etc. etc. We may agree on
supporting Servlet API 2.1 or 2.0, but they still require from server
the ability to do URL session appending. So... it's not our problem that
server does not append session id to redirected URL. Sorry, but when you
setup a web server, you have to know what you're eating (from my own
experience - one version, don't remember which, of the IBM Domino
servlet engine didn't append session id to URL, though it managed
session using cookies - so beware - hope IBM won't sue me for this
anti-advertisment stuff :).
Second case - when user maliciously drops session id's is also not our
concern. It's no problem for anyone to write a loop that hits constantly
the same URL address - and voilá - what a nice DOS attack :). Putting
"infinite redirect" detection stuff inside Turbine.java does not
prevents us from this kind of practice. We simply have no control over
the behaviour of the client.
Conclusion:
The code inside Turbine.java prevents us only in the first case (and
moreover the code that is there right now does it not quite like I
expected - see earlier posts - I'm not sure wheter it's totally wrong -
it still works somehow - but seemingly behaves different than expected).
But in the first case, when server looses it's session, it's hard to use
Turbine at all - you know why - TurbineUser and ACL :).
So, I propose - let's drop this stuff. It does not work like it should,
and even if it would -- wouldn't prevent us from (almost) anything.
Additionaly it does this ugly thing - when you hit for the first time
root of your Turbine application - it throws "infinite redirect"
exception, even if session has been created and set.
Any comments ? Thoughts ?
Regards.
Scooter
Jon Stevens wrote:
>
> [snipped...]
>
> INFINITE REDIRECT:
>
> The issue is that if a session has not been assigned to a user, then they
> are redirected to the "screen.homepage". The problem is that it is easily
> possible to get caught in an infinite redirect loop because you could
> redirect to the same URL over and over again and could be a DOS
> (denial-of-service) attack against Turbine. So, if you have suggestions on
> how to make this code more reliable, I would appreciate it, but I am -1 on
> removing it.
>
> [snipped...]
>
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
