cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: continuations and session
Date Fri, 03 Sep 2004 14:00:30 GMT
Sylvain Wallez wrote:
> Leszek Gawron wrote:
> 
>> Is it possible (due to security reasons) to tie every continuation to 
>> a particular user session? This way noone could "hack" into the 
>> application by using an url from history. I have problems with my 
>> application because it allows to run a continuation even if user has 
>> logged out. If continuations were bound to a particular session 
>> destroying the session would invalidate ALL of them - which is much 
>> better solution than invalidating each by hand in flowscript.
>>
>> I found this problem and I really have no idea how I could fix this. 
>> Right now it looks like this:
> 
> 
> 
> <snip what="code"/>
> 
>> The problem is : I cannot wrap <map:call continuation/> with some 
>> session validator action because I do not know if this continuation 
>> does not belong to login procedure (this way I would block access to 
>> entering data into login form - total security ! :)).
>>
>> I would like to keep the application logic intact so every 
>> /baseURL/callSomeFunction.do would show a login form first and then 
>> continue to appropriate page (if user has not been authenticated before).
>>
>> Please comment.
> 
> 
> 
> Well, IMO the only clean way to achieve this is to have a continuations 
> manager that automatically binds new continuations to the current 
> session, thus making fully isolated continuation groups.
> 
> I proposed this some time ago [1] for other purposes but hadn't the time 
> up to now to actually write it. Want to write it?
If you gave me a few hints what should be changed - I will do it.

-- 
Leszek Gawron                                      lgawron@mobilebox.pl

Mime
View raw message