Wouldn't a simple check on hasSession do the trick? No session = no action = pageWithName(OhNoYouDidNot)
-G On Jul 22, 2010, at 9:40 AM, Patrick Middleton <[email protected]> wrote: > > On 22 Jul 2010, at 12:49, Anjo Krank wrote: > >> Why would you "preserve" the session id when it's no longer valid? >> >> Cheers, Anjo >> >> >> >> Am 22.07.2010 um 13:28 schrieb Patrick Middleton: >> >>> in order to sanitize inputs -- mostly by removing anything containing the >>> likes of '<script'. What do you think? > > > Preserve the session id when it's no longer valid? Anjo, are you saying my > application should have sanitised its inputs? > > When I wrote the app I considered how a session ID might not be valid, and > what the app would do: > timed out: give a 'timed out' response page > ought to exist, but the instance has crashed and restarted: give a 'timed > out' response page > redirected to the wrong instance by the load balancer: give a 'timed out' > response page > and so on. > > I didn't explicitly preserve the session ID. What I did not consider was > someone cooking up an interesting bogus sessionID and then finding a page > accessible by a direct action that had some component action URLs on it, so > that in the event of the session ID not being valid, I would need to takes > steps to ensure it did not appear in the response. > > Moreover, while the sessionID is an excellent place to start for anybody > probing for security vulnerabilities in a WO app, it's not the only place -- > I think every form value, cookie and CGI argument needs to be sanitised. > > > --- > Regards Patrick > OneStep Solutions Plc > www.onestep.co.uk > > > > This email, including any attachments, is confidential and intended solely > for the person or organisation to whom it is addressed. If you are not the > intended recipient you must not disseminate, distribute or copy any part of > this email nor take any action in reliance on it. > > If you have received this in error please notify the sender immediately by > email or phone +44 (0)1702 426400 and delete this email and any attachments > from your system. > > Email transmission cannot be guaranteed to be secure or error-free as > information could be intercepted, corrupted, lost, destroyed, arrive late or > incomplete, or contain viruses. The sender therefore does not accept > liability for any errors or omissions in the contents of this message which > arise as a result of email transmission. If verification is required please > request a hard-copy version. > > OneStep Solutions LLP is registered in England and Wales under registration > number OC337173 and has its registered office at 457 Southchurch Road, > Southend-on-Sea, Essex SS1 2PH. > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/webobjects-dev/george%40boxofficetickets.com > > This email sent to [email protected] _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
