cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reinhard Poetz <>
Subject Re: Continuation manager modes
Date Fri, 10 Dec 2004 15:00:16 GMT
Leszek Gawron wrote:
> Reinhard Poetz wrote:
>> Leszek Gawron wrote:
>>> Reinhard Poetz wrote:
>>>> Leszek Gawron wrote:
>>>>> Vadim Gritsenko wrote:
>>>>>> Leszek Gawron wrote:
>>>>>>> Previously we have discussed about three continuations manager

>>>>>>> work modes:
>>>>>>> - standard (current functionality)
>>>>>>> - continuations invalidated along with session, still the 
>>>>>>> continuation
>>>>>>> is reachable from other sessions (or no session at all)
>>>>>>> - fully isolated. only the session that created the continuation
>>>>>>> access it.
>>>> IIUC before you introduced your changes it was possible to reuse 
>>>> continuations independently from where they have been created. 
>>>> What's the usecase for this so that we still have have to support it?
>>> Hmm after 2nd reading of your post I see I did not understand you.
>>> There are two orthogonal aspects of continuation visibility:
>>> - interpreter aspect: continuation should always be resumed by the same
>>>   interpreter that created it. If not you could invoke your continuation
>>>   in other sitemap (wrong context, resource not found exceptions,
>>>   security problems).
>>>   This case has been fixed. Still you can enable the old behaviur
>>>   because some users relied on that functionality (although broken).
>>> - security aspect:
>>>   - OLD MODE: you can make your continuations visible for everyone. One
>>>     user creates a continuation and passes the link to another user. The
>>>     other one invokes it in a browser - it works. This is just as it has
>>>     been from the start.
>>>   - NEW MODE: secure continuations.
>>>     Above behaviour creates following problems for authenticated web
>>>     applications:
>>>     * continuation ids might be stored in browser link history or page
>>>       cache.
>>>     * even though user has logged out and the session has been
>>>       invalidated the continuation might still be valid. As long as
>>>       resuming continuation does not query data from user session it
>>>       will work. This way you can have access to secured part of
>>>       application without even logging in.
>>>     So the following mode has been introduced:
>>>     * continuations are bound to the session.
>>>     * You can lookup the continuation only among the ones you have
>>>       created yourself. This way even though you "steal" a continuation
>>>       id from somewhere it's no use for you.
>>>     * When the session gets invalidated all continuations get
>>>       invalidated too.
>>> Hope that clears the situation.
>> Thanks for the summary. The only point I still don't understand is: 
>> What's the usecase to resume a continuation in a different sitemap? 
>> What did people try to solve this way? (I'm asking because it sounds 
>> like a bug and not like a feature that we have to maintain.)
> Let's ask the user himself.

Do you remember who is it?
Does she/he monitor cocoon-dev?


View raw message