Return-Path: Delivered-To: apmail-cocoon-dev-archive@www.apache.org Received: (qmail 83980 invoked from network); 3 Oct 2005 10:04:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 3 Oct 2005 10:04:39 -0000 Received: (qmail 93623 invoked by uid 500); 3 Oct 2005 10:04:36 -0000 Delivered-To: apmail-cocoon-dev-archive@cocoon.apache.org Received: (qmail 93425 invoked by uid 500); 3 Oct 2005 10:04:34 -0000 Mailing-List: contact dev-help@cocoon.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@cocoon.apache.org List-Id: Delivered-To: mailing list dev@cocoon.apache.org Received: (qmail 93408 invoked by uid 99); 3 Oct 2005 10:04:34 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Oct 2005 03:04:34 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [84.96.21.10] (HELO mail.anyware-tech.com) (84.96.21.10) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Oct 2005 03:04:38 -0700 Received: from localhost (localhost [127.0.0.1]) by mail.anyware-tech.com (Postfix) with ESMTP id E4F563355B for ; Mon, 3 Oct 2005 12:04:10 +0200 (CEST) Received: from mail.anyware-tech.com ([127.0.0.1]) by localhost (trinity [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19292-09 for ; Mon, 3 Oct 2005 12:04:08 +0200 (CEST) Received: from [10.0.0.27] (poukram.anyware [10.0.0.27]) by mail.anyware-tech.com (Postfix) with ESMTP id BD50433559 for ; Mon, 3 Oct 2005 12:04:08 +0200 (CEST) Message-ID: <43410217.5050704@apache.org> Date: Mon, 03 Oct 2005 12:04:07 +0200 From: Sylvain Wallez User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@cocoon.apache.org Subject: Re: Fwd: [jetty-discuss] Microsoft IE7 compromise of session security References: <07e701c5c424$d5d9e1a0$0600000a@john> <37A85658-20E7-49E6-9660-17A8E9DBCC25@betaversion.org> <43407B8B.2060809@umn.edu> In-Reply-To: <43407B8B.2060809@umn.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at anyware-tech.com X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Tony Collen wrote: > Pier Fumagalli wrote: > >> I found this on the Jetty list, and thought it was relevant as in the >> examples we tend to encode the continuation ID into the URL... >> >> This is f***ing scary!!! >> >> Pier > > > > Maybe it's time we make Cocoon automatically pull the continuation ID > from a session tied to a cookie. That won't work as a continuation is related to the page displayed in the browser rather than to the browser itself, as is a cookie. I'm with Reinhard: let's tie continuations to sessions, which should be fine for 99.9% of the use cases. Even if the continuation ID is in the URL, it won't be accessible without the session id cookie. Sylvain -- Sylvain Wallez Anyware Technologies http://people.apache.org/~sylvain http://www.anyware-tech.com Apache Software Foundation Member Research & Technology Director