Opened 18 years ago
Closed 11 years ago
#168 closed enhancement (wontfix)
Can't enumerate sessions via ENUMERATERESOURCES
Reported by: | zspitzer | Owned by: | |
---|---|---|---|
Priority: | medium | Milestone: | |
Component: | Resource Service | Version: | |
Severity: | minor | Keywords: | |
Cc: | External ID: |
Description
It would be good to be able to access session resources via ENUMERATERESOURCES
Change History (9)
comment:1 by , 18 years ago
comment:2 by , 18 years ago
It is stricly for security reason. If user A knows user B's session ID, he/she will be able to access user B's data. ENUMERATERESOURCES may be modified so that the current user (excluding generic/system acounts such as Administrator, Author, Anonymous, etc.) can enumerate all of his/her resources for the current session. This will require a schema change.
comment:3 by , 18 years ago
If user A knows another sessionID, she can impersonate that user. That is ok, as the sessionID is not guessable, and should only be transfered over an encrypted link (eg. SSL). In other words, the sessionID represents an authentication token.
If the sessionID is compromised, there is no actual added security, as the map name (and most other resources as well) are highly guessable. It would merely be an inconvenience for an attacker.
comment:4 by , 18 years ago
Session resources are private data and should only be accessible to the owner or the administrator. If the user concerns about security (e.g. session IDs are compromised by a hacker, etc.), then SSL connections should be used.
comment:5 by , 18 years ago
so if you have admin rights we should respect the session_id in the url, and if you don't, the session_id in the resource should be ignored and the current session_id should be used
comment:6 by , 18 years ago
Milestone: | 1.2 → 1.3 |
---|
comment:9 by , 11 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
I agree. I would like this as well.