cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Fwd: [jetty-discuss] Microsoft IE7 compromise of session security
Date Mon, 03 Oct 2005 11:48:54 GMT
Sylvain Wallez wrote:
> Tony Collen wrote:
> 
>> Pier Fumagalli wrote:
>>
>>> I found this on the Jetty list, and thought it was relevant as in the 
>>> examples we tend to encode the continuation ID into the URL...
>>>
>>> This is f***ing scary!!!
>>>
>>>     Pier
>>
>>
>>
>>
>> Maybe it's time we make Cocoon automatically pull the continuation ID  
>> from a session tied to a cookie.
> 
> 
> 
> That won't work as a continuation is related to the page displayed in 
> the browser rather than to the browser itself, as is a cookie.
> 
> I'm with Reinhard: let's tie continuations to sessions, which should be 
> fine for 99.9% of the use cases. Even if the continuation ID is in the 
> URL, it won't be accessible without the session id cookie.
That functionality is already available but not enabled by default 
because it enforces session creation.

-- 
Leszek Gawron                                      lgawron@mobilebox.pl
IT Manager                                         MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message