cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Hunsberger <peter.hunsber...@gmail.com>
Subject Re: Fwd: [jetty-discuss] Microsoft IE7 compromise of session security
Date Mon, 03 Oct 2005 15:15:26 GMT
On 10/3/05, Sylvain Wallez <sylvain@apache.org> wrote:
> Tony Collen wrote:
>
> > Pier Fumagalli wrote:
> >
> >> I found this on the Jetty list, and thought it was relevant as in the
> >> examples we tend to encode the continuation ID into the URL...
> >>
> >> This is f***ing scary!!!
> >>
> >>     Pier
> >
> >
> >
> > Maybe it's time we make Cocoon automatically pull the continuation ID
> > from a session tied to a cookie.
>
>
> That won't work as a continuation is related to the page displayed in
> the browser rather than to the browser itself, as is a cookie.

We did this for a while; our user base doesn't generally fork the
browser and rarely uses back (all menu driven).  However, it's simpler
to just automatically add the continuation to the form as a hidden
field.  We've got a 80 line (or so) transformer that finds all forms
and adds the continuation.  We just add this transformer to the end of
any pipeline that might be creating forms...

> I'm with Reinhard: let's tie continuations to sessions, which should be
> fine for 99.9% of the use cases. Even if the continuation ID is in the
> URL, it won't be accessible without the session id cookie.
>
> Sylvain
>
> --
> Sylvain Wallez                        Anyware Technologies
> http://people.apache.org/~sylvain     http://www.anyware-tech.com
> Apache Software Foundation Member     Research & Technology Director
>
>


--
Peter Hunsberger

Mime
View raw message