Reinhard Poetz wrote:
Leszek Gawron wrote:
Reinhard Poetz wrote:
Leszek Gawron wrote:
Reinhard Poetz wrote:
Leszek Gawron wrote:
Vadim Gritsenko wrote:
Leszek Gawron wrote:
Previously we have discussed about three continuations manager
work modes:
- standard (current functionality)
- continuations invalidated along with session, still the
continuation
is reachable from other sessions (or no session at all)
- fully isolated. only the session that created the continuation
can
access it.
IIUC before you introduced your changes it was possible to reuse
continuations independently from where they have been created.
What's the usecase for this so that we still have have to support it?
Hmm after 2nd reading of your post I see I did not understand you.
There are two orthogonal aspects of continuation visibility:
- interpreter aspect: continuation should always be resumed by the same
interpreter that created it. If not you could invoke your
continuation
in other sitemap (wrong context, resource not found exceptions,
security problems).
This case has been fixed. Still you can enable the old behaviur
because some users relied on that functionality (although broken).
- security aspect:
- OLD MODE: you can make your continuations visible for everyone. One
user creates a continuation and passes the link to another user.
The
other one invokes it in a browser - it works. This is just as it
has
been from the start.
- NEW MODE: secure continuations.
Above behaviour creates following problems for authenticated web
applications:
* continuation ids might be stored in browser link history or page
cache.
* even though user has logged out and the session has been
invalidated the continuation might still be valid. As long as
resuming continuation does not query data from user session it
will work. This way you can have access to secured part of
application without even logging in.
So the following mode has been introduced:
* continuations are bound to the session.
* You can lookup the continuation only among the ones you have
created yourself. This way even though you "steal" a continuation
id from somewhere it's no use for you.
* When the session gets invalidated all continuations get
invalidated too.
Hope that clears the situation.
Thanks for the summary. The only point I still don't understand is:
What's the usecase to resume a continuation in a different sitemap?
What did people try to solve this way? (I'm asking because it sounds
like a bug and not like a feature that we have to maintain.)
Let's ask the user himself.
Do you remember who is it?
Does she/he monitor cocoon-dev?
I have already posted a message to dev (you probably already know that).
He has also created a PATCH for that so we can add the same question to
bugzilla and he will get it on his private mailbox.
--
Leszek Gawron [EMAIL PROTECTED]
Project Manager MobileBox sp. z o.o.
+48 (61) 855 06 67 http://www.mobilebox.pl
mobile: +48 (501) 720 812 fax: +48 (61) 853 29 65
