cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Continuation manager modes
Date Fri, 10 Dec 2004 15:11:46 GMT
Reinhard Poetz wrote:
> Leszek Gawron wrote:
> 
>> Reinhard Poetz wrote:
>>
>>> Leszek Gawron wrote:
>>>
>>>> Reinhard Poetz wrote:
>>>>
>>>>> Leszek Gawron wrote:
>>>>>
>>>>>> Vadim Gritsenko wrote:
>>>>>>
>>>>>>> Leszek Gawron wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> Previously we have discussed about three continuations manager

>>>>>>>> work modes:
>>>>>>>>
>>>>>>>> - standard (current functionality)
>>>>>>>> - continuations invalidated along with session, still the

>>>>>>>> continuation
>>>>>>>> is reachable from other sessions (or no session at all)
>>>>>>>> - fully isolated. only the session that created the continuation

>>>>>>>> can
>>>>>>>> access it.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> IIUC before you introduced your changes it was possible to reuse 
>>>>> continuations independently from where they have been created. 
>>>>> What's the usecase for this so that we still have have to support it?
>>>>
>>>>
>>>>
>>>>
>>>> Hmm after 2nd reading of your post I see I did not understand you.
>>>>
>>>> There are two orthogonal aspects of continuation visibility:
>>>> - interpreter aspect: continuation should always be resumed by the same
>>>>   interpreter that created it. If not you could invoke your 
>>>> continuation
>>>>   in other sitemap (wrong context, resource not found exceptions,
>>>>   security problems).
>>>>   This case has been fixed. Still you can enable the old behaviur
>>>>   because some users relied on that functionality (although broken).
>>>>
>>>> - security aspect:
>>>>   - OLD MODE: you can make your continuations visible for everyone. One
>>>>     user creates a continuation and passes the link to another user. 
>>>> The
>>>>     other one invokes it in a browser - it works. This is just as it 
>>>> has
>>>>     been from the start.
>>>>   - NEW MODE: secure continuations.
>>>>     Above behaviour creates following problems for authenticated web
>>>>     applications:
>>>>     * continuation ids might be stored in browser link history or page
>>>>       cache.
>>>>     * even though user has logged out and the session has been
>>>>       invalidated the continuation might still be valid. As long as
>>>>       resuming continuation does not query data from user session it
>>>>       will work. This way you can have access to secured part of
>>>>       application without even logging in.
>>>>     So the following mode has been introduced:
>>>>     * continuations are bound to the session.
>>>>     * You can lookup the continuation only among the ones you have
>>>>       created yourself. This way even though you "steal" a continuation
>>>>       id from somewhere it's no use for you.
>>>>     * When the session gets invalidated all continuations get
>>>>       invalidated too.
>>>>
>>>> Hope that clears the situation.
>>>
>>>
>>>
>>>
>>> Thanks for the summary. The only point I still don't understand is: 
>>> What's the usecase to resume a continuation in a different sitemap? 
>>> What did people try to solve this way? (I'm asking because it sounds 
>>> like a bug and not like a feature that we have to maintain.)
>>>
>> Let's ask the user himself.
> 
> 
> Do you remember who is it?
> Does she/he monitor cocoon-dev?
I have already posted a message to dev (you probably already know that). 
He has also created a PATCH for that so we can add the same question to 
bugzilla and he will get it on his private mailbox.

-- 
Leszek Gawron                                      lgawron@mobilebox.pl
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message