Koen,
Thanks for the reply :)
Out of interest, how easy is it to fake a session? The reason i ask is that
i adore the simplicity of your aforementioned login from a static page
especially aligned to https however say a malicious user becomes aware of a
logged in user-session, how difficult would it be for the malicious user to
falsify the logged in users session? Does the framework check against ip for
verification of the session as well as cookies/url?
In addition, i was reading about the issues with the license of the current
EXTjs solution. jQuery may offer a replacement library (skinable to look
identical to EXTjs.)
Finally, can multiple ex apps run on the same domain without session issues?
i.e. 1) whatever.com/ 2) whatever.com/admin where the public and admin
webapps are entirely seperate wt instances?
Cheers,
Roja
2008/6/11 Koen Deforche <[EMAIL PROTECTED]>:
> Hey Roja,
>
> 2008/6/9 Roja Anthony Buck <[EMAIL PROTECTED]>:
> > Hi,
> >
> > I am just taking a look at your framework and am mighty impressed
> with
> > its simplicity. That said i wondered if anyone could give me a hint
> towards
> > solving the following questions:
> >
> > 1) Is there any way of making the served pages valid? i.e.
> > http://tinyurl.com/6hjx46 (At the moment the lack of a doc type and the
> use
> > of ampersands breaks the pages according the the w3c)
>
> Currently, W3C validation has been given low priority, and we perceive
> it to be mostly a marketing problem. While there is certainly room for
> improving our validity, which we intend to do, it will only be to the
> extent that we do not compromise our support for non-compliant
> browsers (such as IE6). Therefore, do not expect to get a 100% valid
> response !
>
> The pragmatic approach we took so far is to develop based on accepted
> best practices (including work-arounds for browser incompatibilities),
> and to test using many browsers for correctness.
>
> > 2) Is there any framework in place for handling users?
> Login/Logout/Access
> > Levels, or a preferred method suggested by users of wt?
>
> I think there are many different needs and approaches.
>
> For example, to secure access to an application you could provide a
> simple static web form which posts to the application. In the
> createApplication() method you can verify credentials to determine
> whether a new session should be started, or whether you wish to
> instead redirect the user to another static "bad login" page. This is
> a simple way to protect against DoS attacks since only valid users can
> start a new session. You may want to do all this through HTTPS to
> protect the user/password combination, and switch to HTTP afterwards.
>
> Within the application, you can easily differentiate access levels, by
> simply not 'displaying' access to certain features. This automatically
> guards against access to those features since the central controller
> only allows access to 'exposed events' (a malicious user cannot 'fake'
> a click to a button that is not shown).
>
> To bind users with passwords and access levels, Wt does not provide
> anything. That would probably belong in a (XML) file or data base ?
>
> Regards,
> koen
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> witty-interest mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>
--
Anthony Roger Buck BSc (Hons) St.A. MBCS
Department of Computer Science
MVB. Clifton, Bristol. BS8 1UB.
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest
