Hi sorry for the late reply, yes I might need to take the Zend_Auth
check off here and use that instead, though the page doesnt get
loaded each time to get the new key, ie a drop down will just reload
the video plugin, i might need to use some ajax there to collect the
new token i guess or make it expire after an hour.
On 13/10/2007, at 10:31 AM, Jared Williams wrote:
-----Original Message-----
From: Daniel Rossi [mailto:[EMAIL PROTECTED]
Sent: 12 October 2007 12:09
To: Zend Framework General
Subject: [fw-general] Securely exposing session id from Zend_Auth
Hi there, tricky question I have a project which is using
Zend_Auth, however when loading a controller via a windows
media player plugin in firefox, the netscape plugin will
attempt to create its own session cookie requring the session
id to be sent in the params to the controller outputting a
playlist. How is it possible to securely expose the session
id, ie encrypting it and adding as a javascript variable , so
it can be sent along with the request to the src of the
plugin object code.
Sorry if this might sound confusing here is how the
javascript code builds the embed like
src='/videocontroller/k/sessionidhere'
My issue is if its exposed is it possible to add the session
cookie into another browser to get around the Zend_Auth login ?
Do you need to access the session for the video url, or is it just
to ensure
that only logged in people can view videos?
If the latter, just create use a unpredictable token. For instance
a hash of
the url, a secret key, and the time. And use a url like
/videocontroller/hash/time . The the video controller can validate
the hash,
check the time isn't too distant, and then stream the video.
Jared
