[Chameleon-dev] [Bug 692] Javascript Exceptions using
BoundingBoxPopup widget
bugzilla-daemon at maptools.org
bugzilla-daemon at maptools.org
Mon Dec 20 10:43:13 EST 2004
http://www.maptools.org/bugzilla/show_bug.cgi?id=692
pspencer at dmsolutions.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |chameleon-
| |dev at lists.maptools.org
AssignedTo|chameleon- |jmckenna at dmsolutions.ca
|dev at lists.maptools.org |
------- Additional Comments From pspencer at dmsolutions.ca 2004-12-20 10:43 -------
documentation issue - related content from mailing list:
this problem is not easily solved. Chameleon session management attempts to
prevent session hijacking (or fixation) for security reasons ... what this means
is that when you start a session, the URL that you connected from is recorded in
the session. When subsequent requests arrive, the current URL is tested against
the one in the session. If they don't match, the session is immediately terminated.
When you include an absolute URL in the chameleon.xml file, this has a strange
side effect because the session will record the URL that the user used to
connect, but popups are launched using the URL from chameleon.xml. If they
aren't the same, you end up with this problem.
If you use a relative URL, then chameleon figures out the right host for popups
from the URL the user is using.
I think this is primarily a documentation issue, the way this works should be
left as-is to allow for tighter security, but it should be clearly documented
somewhere what the implications of using different configurations in
chameleon.xml are.
Thanks for finding this out and reporting it on the list. Until you brought
this up, I hadn't really realized that this would happen. Seems obvious now ;)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are on the CC list for the bug, or are watching someone who is.
More information about the Chameleon-dev
mailing list