Sharing Seaside URLs between users (security) + what is actual way for session expiration page
Locked
Sharing Seaside URLs between users (security) + what is actual way for session expiration page
 
|
Hello, two questions about Seaside sessions:
1) URL sharing between different users - what if "boss" shares URL from his browser and send it to another regular user - of course, easy way, whole URL with session (_s=xxxx) - when another/regular user opens that link -> whole "boss" session opens in regular user's browser, with all "boss" permissions, UI state etc etc - very bad, is there any solution for this? Rewrite every (!) URL with updateURL: is not solution :( 2) What is the actual way for "session expiration/login page"? There is few tutorials and books on the inet - but info about session expiration is obsolete :( Methods from tutorials not exists in Seaside 3.2.0. Some trick with WAApplication subclass is actual? Thanks very much! pf |
Re: Sharing Seaside URLs between users (security) + what is actual way for session expiration page
|
|
1) If you share the url with the _s parameter, then you can continue
that session in other browser/machine. This is so because by the default the application uses WAQueryFieldHandlerTrackingStrategy as the #trackingStrategy config. But you can override it and use any of the WAHandlerTrackingStrategy concrete subclasses, to make it cookie based or IP based. 2) There is no special trick regarding the session, but it is true there is no default "authentication/login" component ready to be used. All sessions have an instance of WASession, preferably one subclass of your own, which you must "login" or "logout" based on your own criteria. You can modify the expiration time as well as completely remove it explicitly by sending #unregister to the session object, usually as part of a "logout" or "signout" method of your own. I hope this helps. Regards, Esteban A. Maringolo 2016-09-21 7:31 GMT-03:00 Petr Fischer <[hidden email]>: > Hello, two questions about Seaside sessions: > > 1) URL sharing between different users - what if "boss" shares URL from his browser and send it to another regular user - of course, easy way, whole URL with session (_s=xxxx) - when another/regular user opens that link -> whole "boss" session opens in regular user's browser, with all "boss" permissions, UI state etc etc - very bad, is there any solution for this? Rewrite every (!) URL with updateURL: is not solution :( > > 2) What is the actual way for "session expiration/login page"? There is few tutorials and books on the inet - but info about session expiration is obsolete :( Methods from tutorials not exists in Seaside 3.2.0. > Some trick with WAApplication subclass is actual? > > Thanks very much! pf > |
Re: Sharing Seaside URLs between users (security) + what is actual way for session expiration page
|
|
In reply to this post by Petr Fischer
On Wed, Sep 21, 2016 at 7:31 AM, Petr Fischer <[hidden email]> wrote: Hello, two questions about Seaside sessions: Probably it's not what you need, but in my case I wanted to forbid (show an error) what you call "URL sharing" because of security issues. Anyway, if you want this, let me know and I show you how I did it. 2) What is the actual way for "session expiration/login page"? There is few tutorials and books on the inet - but info about session expiration is obsolete :( Methods from tutorials not exists in Seaside 3.2.0. |
Re: Sharing Seaside URLs between users (security) + what is actual way for session expiration page
|
|
In reply to this post by Petr Fischer
> On 21 Sep 2016, at 12:31, Petr Fischer <[hidden email]> wrote: > > Hello, two questions about Seaside sessions: > > 1) URL sharing between different users - what if "boss" shares URL from his browser and send it to another regular user - of course, easy way, whole URL with session (_s=xxxx) - when another/regular user opens that link -> whole "boss" session opens in regular user's browser, with all "boss" permissions, UI state etc etc - very bad, is there any solution for this? Rewrite every (!) URL with updateURL: is not solution :( If this is a concern, you can use a cookie for session tracking, but that means you cannot have multiple Seaside sessions running in the same browser at the same time. There are probably other ways, but I think the solution is not to rely on a session key for authentication. Here’s a strategy: Keep the Seaside session key in the url for session tracking but use an authorization cookie for authorization. Put that cookie when the user logs in and check its presence when requests come in for a session. I think that using a filter for that is a good choice. Whenever another user copy/pastes the url, he cannot ‘hijack’ the session because he lacks the correct authentication cookie. > 2) What is the actual way for "session expiration/login page"? There is few tutorials and books on the inet - but info about session expiration is obsolete :( Methods from tutorials not exists in Seaside 3.2.0. > Some trick with WAApplication subclass is actual? I’m not sure what the question is. Do you want to redirect users to a page whenever the session is expired? cheers Johan |
Re: Sharing Seaside URLs between users (security) + what is actual way for session expiration page
|
|
On Wed, Sep 21, 2016 at 11:50 AM, Johan Brichau <[hidden email]> wrote:
That's exactly what I did in my case. And the way to implement that was with a custom session tracker that dealt with the cookie plus a filter for the checking and kickout. I can share this if someone wants it (I think I already shared it before) > 2) What is the actual way for "session expiration/login page"? There is few tutorials and books on the inet - but info about session expiration is obsolete :( Methods from tutorials not exists in Seaside 3.2.0. |
|
|
Mariano,
this would be a perfect article for your blog (hint, hint) and I'd be one of the first and excited readers. I must admit I sometimes am frightened by all the filters and whatnot that I could be using for certain tasks. I always feel like I miss half of what the power of Seaside is because there is no documentation or tutorias on all that stuff (or are there????) So it would be great if you could not only share your code but also explain it a little bit, for dummies like me... Joachim |
Re: Sharing Seaside URLs between users (security) + what is actual way for session expiration page
|
|
In reply to this post by Johan Brichau-2
> > Hello, two questions about Seaside sessions:
> > > > 1) URL sharing between different users - what if "boss" shares URL from his browser and send it to another regular user - of course, easy way, whole URL with session (_s=xxxx) - when another/regular user opens that link -> whole "boss" session opens in regular user's browser, with all "boss" permissions, UI state etc etc - very bad, is there any solution for this? Rewrite every (!) URL with updateURL: is not solution :( > > If this is a concern, you can use a cookie for session tracking, but that means you cannot have multiple Seaside sessions running in the same browser at the same time. > > There are probably other ways, but I think the solution is not to rely on a session key for authentication. > Here’s a strategy: > Keep the Seaside session key in the url for session tracking but use an authorization cookie for authorization. Put that cookie when the user logs in and check its presence when requests come in for a session. > I think that using a filter for that is a good choice. > > Whenever another user copy/pastes the url, he cannot ‘hijack’ the session because he lacks the correct authentication cookie. This sounds reasonable. Thanks. > > > 2) What is the actual way for "session expiration/login page"? There is few tutorials and books on the inet - but info about session expiration is obsolete :( Methods from tutorials not exists in Seaside 3.2.0. > > Some trick with WAApplication subclass is actual? > > I’m not sure what the question is. Do you want to redirect users to a page whenever the session is expired? Yes, just ordinary redirect to login page, with proper expiration notice (when session is expired). Another question is, how to handle session expiration inside AJAX call (also with proper redirect to login page with expiration notice) - this is harder - there is some solutions, like "ping" from web browser to Seaside server, so the session never expires, but this is in conflict with my/common needs (I want session timeout with auto logouts). > cheers > Johan |
Re: Sharing Seaside URLs between users (security) + what is actual way for session expiration page
|
|
In reply to this post by Mariano Martinez Peck
> > > Hello, two questions about Seaside sessions:
> > > > > > 1) URL sharing between different users - what if "boss" shares URL from > > his browser and send it to another regular user - of course, easy way, > > whole URL with session (_s=xxxx) - when another/regular user opens that > > link -> whole "boss" session opens in regular user's browser, with all > > "boss" permissions, UI state etc etc - very bad, is there any solution for > > this? Rewrite every (!) URL with updateURL: is not solution :( > > > > If this is a concern, you can use a cookie for session tracking, but that > > means you cannot have multiple Seaside sessions running in the same browser > > at the same time. > > > > There are probably other ways, but I think the solution is not to rely on > > a session key for authentication. > > Here’s a strategy: > > Keep the Seaside session key in the url for session tracking but use an > > authorization cookie for authorization. Put that cookie when the user logs > > in and check its presence when requests come in for a session. > > I think that using a filter for that is a good choice. > > > > Whenever another user copy/pastes the url, he cannot ‘hijack’ the session > > because he lacks the correct authentication cookie. > > > > > That's exactly what I did in my case. And the way to implement that was > with a custom session tracker that dealt with the cookie plus a filter for > the checking and kickout. > > I can share this if someone wants it (I think I already shared it before) Other beginners with Pharo/Seaside might appreciate if it was standard part of Seaside. In standard Seaside package, there is for example class WAIPSessionTrackingStrategy, it's nice as example, but unusable in real world. Your session tracking strategy is definitely more useful - can you share? Can you share with Seaside developers? :) > > > 2) What is the actual way for "session expiration/login page"? There is > > few tutorials and books on the inet - but info about session expiration is > > obsolete :( Methods from tutorials not exists in Seaside 3.2.0. > > > Some trick with WAApplication subclass is actual? > > > > I’m not sure what the question is. Do you want to redirect users to a page > > whenever the session is expired? > > > > cheers > > Johan > > > -- > Mariano > http://marianopeck.wordpress.com |
Re: Sharing Seaside URLs between users (security) + what is actual way for session expiration page
|
|
In reply to this post by jtuchel
> Mariano,
> > this would be a perfect article for your blog (hint, hint) and I'd be > one of the first and excited readers. I must admit I sometimes am > frightened by all the filters and whatnot that I could be using for > certain tasks. I always feel like I miss half of what the power of > Seaside is because there is no documentation or tutorias on all that > stuff (or are there????) Exactly! There is some documentiation on the net, but documentation is often obsolete - even official documentation (book.seaside.st for example). Blog post is nice and welcome, but blogs and blog systems die sometimes and then what? Also there is some article/blog post for very old Seaside, another article for pre-actual Seaside and no article for actual Seaside... Central point (under pharo.org) for all the valid actual knowledge resources is necessary (IMHO). > So it would be great if you could not only share your code but also > explain it a little bit, for dummies like me... > > Joachim > > |
Re: Sharing Seaside URLs between users (security) + what is actual way for session expiration page
|
|
In reply to this post by Mariano Martinez Peck
> > Hello, two questions about Seaside sessions:
> > > > 1) URL sharing between different users - what if "boss" shares URL from > > his browser and send it to another regular user - of course, easy way, > > whole URL with session (_s=xxxx) - when another/regular user opens that > > link -> whole "boss" session opens in regular user's browser, with all > > "boss" permissions, UI state etc etc - very bad, is there any solution for > > this? Rewrite every (!) URL with updateURL: is not solution :( > > > > > Probably it's not what you need, but in my case I wanted to forbid (show an > error) what you call "URL sharing" because of security issues. Anyway, if > you want this, let me know and I show you how I did it. Yes this is also possible, but instructing users that do not share their URLs is insufficient (they will do it!). How is possible to "forbid" URL copy/pasting from one browser to another? With session + auth cookie tracking strategy (already suggested in this thread)? > > 2) What is the actual way for "session expiration/login page"? There is > > few tutorials and books on the inet - but info about session expiration is > > obsolete :( Methods from tutorials not exists in Seaside 3.2.0. > > Some trick with WAApplication subclass is actual? > > > > Thanks very much! pf > > > > > > > -- > Mariano > http://marianopeck.wordpress.com |
|
|
In reply to this post by Mariano Martinez Peck
Mariano
It would be cool. Why don't you paste it on your blog? I hope to get back to the seaside book one of these days and I would like to add such tips and tricks
Stef Le 21/9/16 à 18:00, Mariano Martinez
Peck a écrit :
|
Re: Sharing Seaside URLs between users (security) + what is actual way for session expiration page
|
|
OK, "TooMuchPressureExpcetion signal". I will do it. There is another open-source-task related to OSSubprocess that I must address first. Then will come to this one. Probably I can also put the code in github. Will let you know when ready. Cheers, On Thu, Sep 22, 2016 at 2:53 PM, stepharo <[hidden email]> wrote:
|
|
|
In reply to this post by Petr Fischer
| mariano us |
[mariano writeThatFrickinBlogPostFor: us] on: TooMuchPressureException do: [:ex| ex doOnlyIfAndAsSoonAs: (TimeFound and: [mariano feelsLikeIt])]. Please don't feel stressed. I feel your pain ;-) My/our reaction just shows how much we thirst for more detailed information on the many things that Seaside has learned since 2.8 and that are more or less undocumented... not your fault, you just publicly stated you know something ;-) Am 22.09.2016 20:10 schrieb Mariano Martinez Peck <[hidden email]>: > > OK, "TooMuchPressureExpcetion signal". > > I will do it. There is another open-source-task related to OSSubprocess that I must address first. Then will come to this one. > Probably I can also put the code in github. > > Will let you know when ready. > > Cheers, > > On Thu, Sep 22, 2016 at 2:53 PM, stepharo <[hidden email]> wrote: >> >> Mariano >> >> >> It would be cool. >> >> Why don't you paste it on your blog? >> >> I hope to get back to the seaside book one of these days and I would like to add such tips and tricks >> >> >> Stef >> >> >> Le 21/9/16 à 18:00, Mariano Martinez Peck a écrit : >>> >>> >>> >>> On Wed, Sep 21, 2016 at 11:50 AM, Johan Brichau <[hidden email]> wrote: >>>> >>>> >>>> > On 21 Sep 2016, at 12:31, Petr Fischer <[hidden email]> wrote: >>>> > >>>> > Hello, two questions about Seaside sessions: >>>> > >>>> > 1) URL sharing between different users - what if "boss" shares URL from his browser and send it to another regular user - of course, easy way, whole URL with session (_s=xxxx) - when another/regular user opens that link -> whole "boss" session opens in regular user's browser, with all "boss" permissions, UI state etc etc - very bad, is there any solution for this? Rewrite every (!) URL with updateURL: is not solution :( >>>> >>>> If this is a concern, you can use a cookie for session tracking, but that means you cannot have multiple Seaside sessions running in the same browser at the same time. >>>> >>>> There are probably other ways, but I think the solution is not to rely on a session key for authentication. >>>> Here’s a strategy: >>>> Keep the Seaside session key in the url for session tracking but use an authorization cookie for authorization. Put that cookie when the user logs in and check its presence when requests come in for a session. >>>> I think that using a filter for that is a good choice. >>>> >>>> Whenever another user copy/pastes the url, he cannot ‘hijack’ the session because he lacks the correct authentication cookie. >>>> >>> >>> That's exactly what I did in my case. And the way to implement that was with a custom session tracker that dealt with the cookie plus a filter for the checking and kickout. >>> >>> I can share this if someone wants it (I think I already shared it before) >>> >>> >>>> >>>> > 2) What is the actual way for "session expiration/login page"? There is few tutorials and books on the inet - but info about session expiration is obsolete :( Methods from tutorials not exists in Seaside 3.2.0. >>>> > Some trick with WAApplication subclass is actual? >>>> >>>> I’m not sure what the question is. Do you want to redirect users to a page whenever the session is expired? >>>> >>>> cheers >>>> Johan >>> >>> >>> >>> >>> -- >>> Mariano >>> http://marianopeck.wordpress.com >> >> > > > > -- > Mariano > http://marianopeck.wordpress.com |
«
Return to Pharo Smalltalk Users
|
1 view|%1 views
| Free forum by Nabble | Edit this page |