jackrabbit-oak-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jukka Zitting <jukka.zitt...@gmail.com>
Subject Re: Native HTTP bindings for Oak
Date Tue, 26 Jun 2012 10:27:53 GMT
Hi,

On Mon, Jun 25, 2012 at 2:26 PM, Jukka Zitting <jukka.zitting@gmail.com> wrote:
> By default the HTTP binding could simply use a fresh new session for
> each HTTP request, but it should be possible for a client to request a
> longer-lived session for more complex content modifications (import,
> batch jobs, etc.) or for getting a stable snapshot for larger reads
> (export, query, etc.) that shouldn't change while reading. I was
> thinking of handling such cases by allowing the client to generate
> such a session with a specific POST request that responds with a
> redirect to a temporary session URL that exposes the normal content
> tree as seen through that session. We'd use a lease mechanism to
> control the lifetime of such server-side sessions.

As a nice extra benefit, such a solution gives us effective protection
against CSRF attacks if we require that all writes need to go through
such sessions, with the session URL acting as a token that the
potential attacker can't access or use.

BR,

Jukka Zitting

Mime
View raw message