seaside sessions and http(s) - security

Hi.

We have a seaside app that is nearing deployment in GLASS; but I tested this
behaviour in Squeak with seaside 2.8a1-pmm.391 - which is the base for the
gemstone port.
The entry point of our app is a WATask, which is presenting a login form and
then - based on the access rights of the user - is building a
WASimpleNavigation with different tabs (for various combinations of access
rights) eg:
        (self session user hasUserRole: Administrator)
                ifTrue: [navigationMenu add: InterestCalculatorForm new
label: 'Interest calculator']
        (self session user hasUserRole: UserAdministrator)
                ifTrue: [navigationMenu add: UserPage new label: 'User
list';
                                 add: AuditDataPage new label: 'Audit data']
etc.

If one is logged in as user1 on browser1 and pastes in the browser a url
copied from browser2/user2 - he then gets the whole session rights and tabs
of user2. This appears to me as if the first user gets hold of the whole
session object of the second user. Is the seaside session re-build inside
the image from the url?
Is there some way of protecting against such a url copy and paste?

Thanks
Liliana



Liliana Ivan
[hidden email]
(27) 12 663 3140
Finworks <http://www.finworks.biz/>


_______________________________________________
Seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

2007/9/10, Liliana <[hidden email]>:
No, the share the same session object (the value _s paramter in the
url  is used to look up the session).

> Is there some way of protecting against such a url copy and paste?

If the browsers are on different machines and not NATed then you can
use WASessionProtector (add it as a decoration to your root
component). You can also store the session key in a cookie instead of
the url.

Cheers
Philippe
_______________________________________________
Seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

> Is there some way of protecting against such a url copy and paste?

>>If the browsers are on different machines and not NATed then you can use WASessionProtector (add it as a decoration to your root component). You can also store the session key in a cookie instead of the url.

Cheers
Philippe


Thank you Philippe. This works in squeak. I took the discussion on the [hidden email] list
Liliana

_______________________________________________
Seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

How do you manage to store the session key in a cookie?
regards,
Leandro

_______________________________________________
Seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

2007/9/11, Leandro Perez <[hidden email]>:
In the configuration of you application set "Use Session Cookie" to true.

Cheers
Philippe

> regards,
> Leandro
>
> _______________________________________________
> Seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
_______________________________________________
Seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside