Opened 13 years ago

Closed 7 years ago

#168 closed enhancement (wontfix)

Can't enumerate sessions via ENUMERATERESOURCES

Reported by: zspitzer Owned by:
Priority: medium Milestone:
Component: Resource Service Version:
Severity: minor Keywords:
Cc: External ID:

Description

It would be good to be able to access session resources via ENUMERATERESOURCES

Change History (9)

comment:1 Changed 13 years ago by ksgeograf

I agree. I would like this as well.

comment:2 Changed 13 years ago by stevedang

It is stricly for security reason. If user A knows user B's session ID, he/she will be able to access user B's data. ENUMERATERESOURCES may be modified so that the current user (excluding generic/system acounts such as Administrator, Author, Anonymous, etc.) can enumerate all of his/her resources for the current session. This will require a schema change.

comment:3 Changed 13 years ago by ksgeograf

If user A knows another sessionID, she can impersonate that user. That is ok, as the sessionID is not guessable, and should only be transfered over an encrypted link (eg. SSL). In other words, the sessionID represents an authentication token.

If the sessionID is compromised, there is no actual added security, as the map name (and most other resources as well) are highly guessable. It would merely be an inconvenience for an attacker.

comment:4 Changed 13 years ago by stevedang

Session resources are private data and should only be accessible to the owner or the administrator. If the user concerns about security (e.g. session IDs are compromised by a hacker, etc.), then SSL connections should be used.

comment:5 Changed 13 years ago by zspitzer

so if you have admin rights we should respect the session_id in the url, and if you don't, the session_id in the resource should be ignored and the current session_id should be used

comment:6 Changed 13 years ago by tomfukushima

Milestone: 1.21.3

comment:7 Changed 13 years ago by jbirch

Milestone: 2.0

Removed milestone. Way forward on this is not clear.

comment:8 Changed 11 years ago by jbirch

Version: 1.2.0

removing version #

comment:9 Changed 7 years ago by jng

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.