cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <>
Subject Re: Fwd: [jetty-discuss] Microsoft IE7 compromise of session security
Date Mon, 03 Oct 2005 12:08:02 GMT
Leszek Gawron wrote:

> Sylvain Wallez wrote:
>> Tony Collen wrote:
>>> Maybe it's time we make Cocoon automatically pull the continuation 
>>> ID  from a session tied to a cookie.
>> That won't work as a continuation is related to the page displayed in 
>> the browser rather than to the browser itself, as is a cookie.
>> I'm with Reinhard: let's tie continuations to sessions, which should 
>> be fine for 99.9% of the use cases. Even if the continuation ID is in 
>> the URL, it won't be accessible without the session id cookie.
> That functionality is already available but not enabled by default 
> because it enforces session creation.

Yes, I know that, and that's what I meant: let's make it the default. 
Continuations are server-side state anyway so I don't really see the 
problem with enforcing session creation when continuations are used.

Note also that load-balancing schemes are often based on session 
affinity, meaning if you use continuations without sessions, there is a 
non-negligible probability that a request to continue a flowscript will 
go to different server than the one that created it!


Sylvain Wallez                        Anyware Technologies
Apache Software Foundation Member     Research & Technology Director

View raw message