> On 21 Sep 2016, at 12:31, Petr Fischer <petr.fisc...@me.com> wrote: > > Hello, two questions about Seaside sessions: > > 1) URL sharing between different users - what if "boss" shares URL from his > browser and send it to another regular user - of course, easy way, whole URL > with session (_s=xxxx) - when another/regular user opens that link -> whole > "boss" session opens in regular user's browser, with all "boss" permissions, > UI state etc etc - very bad, is there any solution for this? Rewrite every > (!) URL with updateURL: is not solution :(
If this is a concern, you can use a cookie for session tracking, but that means you cannot have multiple Seaside sessions running in the same browser at the same time. There are probably other ways, but I think the solution is not to rely on a session key for authentication. Here’s a strategy: Keep the Seaside session key in the url for session tracking but use an authorization cookie for authorization. Put that cookie when the user logs in and check its presence when requests come in for a session. I think that using a filter for that is a good choice. Whenever another user copy/pastes the url, he cannot ‘hijack’ the session because he lacks the correct authentication cookie. > 2) What is the actual way for "session expiration/login page"? There is few > tutorials and books on the inet - but info about session expiration is > obsolete :( Methods from tutorials not exists in Seaside 3.2.0. > Some trick with WAApplication subclass is actual? I’m not sure what the question is. Do you want to redirect users to a page whenever the session is expired? cheers Johan
