Opened 18 years ago

Closed 11 years ago

#168 closed enhancement (wontfix)

Can't enumerate sessions via ENUMERATERESOURCES

Reported by: zspitzer Owned by:
Priority: medium Milestone:
Component: Resource Service Version:
Severity: minor Keywords:
Cc: External ID:

Description

It would be good to be able to access session resources via ENUMERATERESOURCES

Change History (9)

comment:1 by ksgeograf, 18 years ago

I agree. I would like this as well.

comment:2 by stevedang, 18 years ago

It is stricly for security reason. If user A knows user B's session ID, he/she will be able to access user B's data. ENUMERATERESOURCES may be modified so that the current user (excluding generic/system acounts such as Administrator, Author, Anonymous, etc.) can enumerate all of his/her resources for the current session. This will require a schema change.

comment:3 by ksgeograf, 18 years ago

If user A knows another sessionID, she can impersonate that user. That is ok, as the sessionID is not guessable, and should only be transfered over an encrypted link (eg. SSL). In other words, the sessionID represents an authentication token.

If the sessionID is compromised, there is no actual added security, as the map name (and most other resources as well) are highly guessable. It would merely be an inconvenience for an attacker.

comment:4 by stevedang, 18 years ago

Session resources are private data and should only be accessible to the owner or the administrator. If the user concerns about security (e.g. session IDs are compromised by a hacker, etc.), then SSL connections should be used.

comment:5 by zspitzer, 18 years ago

so if you have admin rights we should respect the session_id in the url, and if you don't, the session_id in the resource should be ignored and the current session_id should be used

comment:6 by tomfukushima, 18 years ago

Milestone: 1.21.3

comment:7 by jbirch, 17 years ago

Milestone: 2.0

Removed milestone. Way forward on this is not clear.

comment:8 by jbirch, 15 years ago

Version: 1.2.0

removing version #

comment:9 by jng, 11 years ago

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.