[Citadel Development] (no subject)
> Getting more REST-like would probably fit in nicely with the anonymous >login feature. Any HTTP GET request received by webcit would require >webcit to ask citserver if the requested resource required >authentication, but then webcit wouldn't need to carry around much, if >any, state information. We're solving that problem by obfuscating URL's so you can't tell whether they're REST or not. (It's an SEO feature)
[Citadel Development] [SCM] citadel.org branch, master, updated. d75b53ffd1f1e6cfbce340bae25710652617397c
Push to the project "citadel.org ": The branch, master has been updated via d75b53ffd1f1e6cfbce340bae25710652617397c (commit) from 2586658ccd87f0cd37312c2c85cd76d3c7d3ee54 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - http://code.citadel.org/cgit.cgi/git.citadel.org/commit/?id=d75b53ffd1f1e6cfbce340bae25710652617397c commit d75b53ffd1f1e6cfbce340bae25710652617397c Author: Art Cancro Date: Tue Jan 18 17:18:14 2011 -0500 Enter/return key submits form in the new user/password dialog --- Summary of changes: webcit/static/authmethods.js | 17 + webcit/static/t/get_logged_in.html |4 ++-- 2 files changed, 19 insertions(+), 2 deletions(-) hooks/post-receive -- citadel.org
[Citadel Development] Re:
afaik REST doesn't say anything about authentication mechanisms at all; it primarily says that a resource should be identified by a uniq URL; so the floor & roomname would have to be part of the URLs; its doable in some parts, parsing the URL (and message IDs) is a little trickier, since you need to find out whether the URL-Part identifies a part of a floor, roomname, message, or even sub-message. though using different rooms in different browser tabs would be possible with that .
[Citadel Development] (no subject)
How difficult would it be to shift away from using cookies towards a more REST-based architecture? Rely on authentication through the browser, or, encode the authentication credentials in every URL--encrypted, of course. That would be one solution that would allow multiple users logged in via the same browser. An easier method would be to try to detect another login when one has already occurred and reject the additional attempt. Getting more REST-like would probably fit in nicely with the anonymous login feature. Any HTTP GET request received by webcit would require webcit to ask citserver if the requested resource required authentication, but then webcit wouldn't need to carry around much, if any, state information. REST Binder
[Citadel Development] Re: Message security
There was, however, a problem with sessions not being *fully* logged out. I have just fixed that. I doubt we will ever have the ability to log in two different users at the same time from the same browser. On the other hand, I have been adding "go=" url components to a lot of the stuff I've been touching, so that if a user has two different windows open in two different rooms it'll try to keep each window in the correct room.
[Citadel Development] [SCM] citadel.org branch, master, updated. 2586658ccd87f0cd37312c2c85cd76d3c7d3ee54
Push to the project "citadel.org ": The branch, master has been updated via 2586658ccd87f0cd37312c2c85cd76d3c7d3ee54 (commit) from d0526482accfcacb8b6f925afdf67d562925b5a0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - http://code.citadel.org/cgit.cgi/git.citadel.org/commit/?id=2586658ccd87f0cd37312c2c85cd76d3c7d3ee54 commit 2586658ccd87f0cd37312c2c85cd76d3c7d3ee54 Author: Art Cancro Date: Tue Jan 18 13:25:28 2011 -0500 CtdlUserLogout() fixed to more throroughly log the user out --- Summary of changes: citadel/user_ops.c | 26 +- citadel/user_ops.h |2 -- 2 files changed, 13 insertions(+), 15 deletions(-) hooks/post-receive -- citadel.org
[Citadel Development] Re: Message security
because of the use of cookie based authentication you can't do that with one browser. if you're able to reproduce this with two browsers (run a chrome and a firefox) and we have a problem. Since the client knows the room its in, messages from "wrong" rooms will be displayed.
[Citadel Development] Message security
Try this on a recent citadel HEAD: Have two accounts with messages in the mailbox. Open to browser windows with the same browser instance. Login window 1 to webcit and bring up the mailbox view Open the same view on window 2, and then logout on window 2 Login window 2 to the other webcit account and bring to mailbox view You should now have 2 windows both seeming to be logged into webcit but with different accounts. Now for the fun: On each window, click on messages in the mail list. Be surprised that they BOTH work, even though session 1 is supposed to be logged out.