From: Ramsey G. <rg...@sm...> - 2013-01-10 16:12:25
|
It's probably just that no one ever had that problem with it before. It's not hard to imagine with such a small group of wo devs that the exact combination you describe would go unnoticed. Sounds like a bug. Ramsey On Jan 10, 2013, at 2:56 AM, Robin Smith wrote: > Hi Jesse > > I think we may talking about different things ERAttachmentLink is used > to create a hyperlink on your page to download ERAttachments in our > case from s3. Put simply the url that the link creates doesn't include > the session id. > > Many Thanks > > Robin > > On 9 January 2013 23:39, Jesse Tayler <jt...@oe...> wrote: >> >> well, me thinks file upload is done without a session that way because uploading files takes a long time and can cause session timeouts on its own. >> >> is that what you mean? >> >> as for your security issue? I am not certain why you loose visibility about who is logged in? certainly you should be able to do this in a reasonably secure way so I don't entirely follow what is going on there. >> >> On Jan 9, 2013, at 12:43 PM, Robin Smith <rob...@cl...> wrote: >> >>> Hi All >>> >>> We question regarding ERAttachmentLink, following the code through it >>> seems that it doesn't preserve the session when it creates the links. >>> The reason this is important is that using a custom handler to check >>> that our currently logged in user can access the given attachment we >>> lose all visibility of who is actually logged in. >>> >>> If the app is using cookies for its sessions all is fine as the >>> session is retrieved from the cookie, but if the session is in the url >>> then it all breaks down. I can obviously tweak ERAttachmentLink to >>> preserve the session if needed but before i started i wanted to know >>> if there is any reason why it was done in this way. >>> >>> Many Thanks >>> >>> Robin >>> >>> -- >>> >>> ------------------------------ >>> Click Travel Ltd >>> Taking business travel and expenses one step further >>> http://www.clicktravel.com >>> >>> Winner of "Best Business Travel Management Company" at the Business Travel >>> Awards (2012 & 2009) and the Travel Trade Gazette Awards (2011). We're also ranked >>> 22nd in the 2012 Sunday Times Hiscox Tech Track 100. >>> >>> For all the latest Click news please visit our blog: >>> http://clicktravel.com/blog >>> >>> Think: Do you really need to print this email? >>> >>> ------------------------------------------------------------------------------ >>> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >>> and much more. Keep your Java skills current with LearnJavaNow - >>> 200+ hours of step-by-step video tutorials by Java experts. >>> SALE $49.99 this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122612 >>> _______________________________________________ >>> Wonder-disc mailing list >>> Won...@li... >>> https://lists.sourceforge.net/lists/listinfo/wonder-disc >> > > > > -- > Robin Smith > Engineering Team Leader BEng (Hons) MBCS > > -- > > ------------------------------ > Click Travel Ltd > Taking business travel and expenses one step further > http://www.clicktravel.com > > Winner of "Best Business Travel Management Company" at the Business Travel > Awards (2012 & 2009) and the Travel Trade Gazette Awards (2011). We're also ranked > 22nd in the 2012 Sunday Times Hiscox Tech Track 100. > > For all the latest Click news please visit our blog: > http://clicktravel.com/blog > > Think: Do you really need to print this email? > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122712 > _______________________________________________ > Wonder-disc mailing list > Won...@li... > https://lists.sourceforge.net/lists/listinfo/wonder-disc |