Thanks guys,<br>I see now. That is a good feature.<br><br>Eric<br><br><div class="gmail_quote">On Tue, Mar 4, 2008 at 10:14 AM, Stephen De Gabrielle <<a href="mailto:stephen@degabrielle.name">stephen@degabrielle.name</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi, <br><br>I think I have this right; <br><br>It's a feature because you can bookmark it or send the url to a friend and share it. <br>
<div class="Ih2E3d"><br>
> I feel like this makes it easy to hijack a user's session, am I wrong?<br></div>how you secure a session to an individual user is seperate; <br><br>- a unique url is sometimes used in low security applications. (eg google calendar lets you create an UNindexed url for your private calendar - anyone who has the url can see your calendar)<br>
<br>- cookies are a simple easy and method that is often used to maintain a session. cookies access is granted by you browser to websites with the same domain name; web applications at <a href="http://www.google.com" target="_blank">www.google.com</a> can 'see' only cookies created by web pages at <a href="http://www.google.com" target="_blank">www.google.com</a> (or <a href="http://subdomain.www.google.com" target="_blank">subdomain.www.google.com</a> etc.)<br>
<br>- ssl is (or should be) used for the login phase when a greater level of security is desired. <br><br>BTW I think you use <b>send/finish</b> for single use url's <br><br>Cheers, <br>Stephen<div><div></div><div class="Wj3C7c">
<br><br><div class="gmail_quote">
<br>On Tue, Mar 4, 2008 at 2:50 PM, Jay McCarthy <<a href="mailto:jay.mccarthy@gmail.com" target="_blank">jay.mccarthy@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
This is what should happen.<br>
<br>
There is no way to change the behavior that if "X" runs when you go to<br>
URL "Y" from computer "A", then it will also happen from computer "B".<br>
So, It is easy to hijack a user's session if you don't prepare for it.<br>
<br>
For example, you can make the "X" that happens rely on the computer<br>
being "A", through a cookie, for example or by requiring an HTTP<br>
password on the url (that will be cached and transparent to a client<br>
who has already logged in.)<br>
<br>
Jay<br>
<br>
btw, We consider this a feature.<br>
<div><div></div><div><br>
On Tue, Mar 4, 2008 at 6:27 AM, Eric Biunno <<a href="mailto:01rice@gmail.com" target="_blank">01rice@gmail.com</a>> wrote:<br>
> In v371,<br>
> when I connect to a servlet from one client computer and receive a<br>
> continuation embedded into URL,<br>
> I can then invoke this continuation from another client computer without a<br>
> problem.<br>
> Is this what should happen? Does the development version behave the same<br>
> way? Is there a way to change this behavior?<br>
> Am I not understanding the proper use of web-server continuations?<br>
> I feel like this makes it easy to hijack a user's session, am I wrong?<br>
><br>
> Thanks,<br>
> Eric<br>
><br>
</div></div>> _________________________________________________<br>
> For list-related administrative tasks:<br>
> <a href="http://list.cs.brown.edu/mailman/listinfo/plt-scheme" target="_blank">http://list.cs.brown.edu/mailman/listinfo/plt-scheme</a><br>
><br>
><br>
<font color="#888888"><br>
<br>
<br>
--<br>
Jay McCarthy <<a href="mailto:jay.mccarthy@gmail.com" target="_blank">jay.mccarthy@gmail.com</a>><br>
<a href="http://jay.teammccarthy.org" target="_blank">http://jay.teammccarthy.org</a><br>
_________________________________________________<br>
For list-related administrative tasks:<br>
<a href="http://list.cs.brown.edu/mailman/listinfo/plt-scheme" target="_blank">http://list.cs.brown.edu/mailman/listinfo/plt-scheme</a><br>
</font></blockquote></div><br><br clear="all"><br>-- <br></div></div>Cheers,<br><br>Stephen<br><br>--<br>Stephen De Gabrielle<br><a href="mailto:s.degabrielle@ucl.ac.uk" target="_blank">s.degabrielle@ucl.ac.uk</a><br>Telephone +44 (0)20 7679 5242 (x45242)<br>
Mobile 079 851 890 45<br>Project: Making Sense of Information (MaSI)<br><a href="http://www.uclic.ucl.ac.uk/annb/MaSI.html" target="_blank">http://www.uclic.ucl.ac.uk/annb/MaSI.html</a><br><br>UCLIC: University College London Interaction Centre<br>
<a href="http://www.uclic.ucl.ac.uk/" target="_blank">http://www.uclic.ucl.ac.uk/</a><br><br>Remax House - 31/32 Alfred Place<br>London - WC1E 7DP
</blockquote></div><br>