Is Seaside secure?

Posted on January 5, 2011

Now playing: Iggy Pop - Livin’ On The Edge Of The Night

Seaside is known as a heretical web framework: as every Seaside programmer knows, it uses continuations and stores session state information directly in the URL.

Typical Seaside URL contains two arguments, _s and _k. _s identifies a session (it is the same for all the generated pages within a single session) and _k is used to look up a continuation in this session. Depending on current continuation the appropriate components and content are rendered [1].

What is continuation? Briefly saying, continuation is a snapshot of the application state.

Well, what will happen if we will copy such URL from one browser and then open it in another one? If we will do it quickly (before the session expiration), we will reach the same place in the application. Even if the second browser is launched on a different PC!

If our web application supports user accounts, we can even appear under a different user in the system without authentication. All we need is just to obtain a generated URL with _s and _k from a logged-in user.

I have successfully reproduced it with Seaside 2.8 on this blog (actually I do not know the exact version of Seaside shipped with GNU Smalltalk). Although I use cookies for authentication and check it every time in WASession>>start:, I was able to remove a post from a separate browser without of logging in. Is it a bug or a feature? I think that it is a feature of Seaside and bug of an application :). My point is to move all the state into cookies and use only RESTful URLs for such actions. In this case we don’t rely only on continuations and handle the situation fully.

Please correct me if I’m wrong.