Re: Continuation manager modes

Fri, 10 Dec 2004 06:37:21 -0800

Reinhard Poetz wrote: 
Leszek Gawron wrote:

Vadim Gritsenko wrote:

Leszek Gawron wrote:


Previously we have discussed about three continuations manager work modes:

- standard (current functionality)
- continuations invalidated along with session, still the continuation
is reachable from other sessions (or no session at all)
- fully isolated. only the session that created the continuation can
access it.


IIUC before you introduced your changes it was possible to reuse continuations independently from where they have been created. What's the usecase for this so that we still have have to support it? 
Hmm after 2nd reading of your post I see I did not understand you.

There are two orthogonal aspects of continuation visibility:
- interpreter aspect: continuation should always be resumed by the same
  interpreter that created it. If not you could invoke your continuation
  in other sitemap (wrong context, resource not found exceptions,
  security problems).
  This case has been fixed. Still you can enable the old behaviur
  because some users relied on that functionality (although broken).

- security aspect:
  - OLD MODE: you can make your continuations visible for everyone. One
    user creates a continuation and passes the link to another user. The
    other one invokes it in a browser - it works. This is just as it has
    been from the start.
  - NEW MODE: secure continuations.
    Above behaviour creates following problems for authenticated web
    applications:
    * continuation ids might be stored in browser link history or page
      cache.
    * even though user has logged out and the session has been
      invalidated the continuation might still be valid. As long as
      resuming continuation does not query data from user session it
      will work. This way you can have access to secured part of
      application without even logging in.
    So the following mode has been introduced:
    * continuations are bound to the session.
    * You can lookup the continuation only among the ones you have
      created yourself. This way even though you "steal" a continuation
      id from somewhere it's no use for you.
    * When the session gets invalidated all continuations get
      invalidated too.

Hope that clears the situation.
--
Leszek Gawron                                      [EMAIL PROTECTED]
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Reply via email to