cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylv...@apache.org>
Subject Re: Fwd: [jetty-discuss] Microsoft IE7 compromise of session security
Date Mon, 03 Oct 2005 10:04:07 GMT
Tony Collen wrote:

> Pier Fumagalli wrote:
>
>> I found this on the Jetty list, and thought it was relevant as in the 
>> examples we tend to encode the continuation ID into the URL...
>>
>> This is f***ing scary!!!
>>
>>     Pier
>
>
>
> Maybe it's time we make Cocoon automatically pull the continuation ID  
> from a session tied to a cookie.


That won't work as a continuation is related to the page displayed in 
the browser rather than to the browser itself, as is a cookie.

I'm with Reinhard: let's tie continuations to sessions, which should be 
fine for 99.9% of the use cases. Even if the continuation ID is in the 
URL, it won't be accessible without the session id cookie.

Sylvain

-- 
Sylvain Wallez                        Anyware Technologies
http://people.apache.org/~sylvain     http://www.anyware-tech.com
Apache Software Foundation Member     Research & Technology Director


Mime
View raw message