cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylv...@apache.org>
Subject Re: continuations and session
Date Thu, 02 Sep 2004 21:49:51 GMT
Leszek Gawron wrote:

> Is it possible (due to security reasons) to tie every continuation to 
> a particular user session? This way noone could "hack" into the 
> application by using an url from history. I have problems with my 
> application because it allows to run a continuation even if user has 
> logged out. If continuations were bound to a particular session 
> destroying the session would invalidate ALL of them - which is much 
> better solution than invalidating each by hand in flowscript.
>
> I found this problem and I really have no idea how I could fix this. 
> Right now it looks like this:


<snip what="code"/>

> The problem is : I cannot wrap <map:call continuation/> with some 
> session validator action because I do not know if this continuation 
> does not belong to login procedure (this way I would block access to 
> entering data into login form - total security ! :)).
>
> I would like to keep the application logic intact so every 
> /baseURL/callSomeFunction.do would show a login form first and then 
> continue to appropriate page (if user has not been authenticated before).
>
> Please comment.


Well, IMO the only clean way to achieve this is to have a continuations 
manager that automatically binds new continuations to the current 
session, thus making fully isolated continuation groups.

I proposed this some time ago [1] for other purposes but hadn't the time 
up to now to actually write it. Want to write it?

Sylvain

[1] http://marc.theaimsgroup.com/?l=xml-cocoon-dev&m=109161174000777&w=2

-- 
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }


Mime
View raw message