Re: Web Objects URLs
Re: Web Objects URLs
- Subject: Re: Web Objects URLs
- From: mmalcolm crawford <email@hidden>
- Date: Thu, 10 May 2001 00:41:49 +0100
On Wednesday, May 9, 2001, at 11:33 pm, email@hidden
wrote:
I'm curious about the way that WebObjects maintains state without using
cookies.
A WebObjects application has Session objects which represent user
sessions. Each has a unique session ID, which is appended to the WO
URL, e.g.:
http://localhost.apple.com:/
cgi-bin/WebObjects/MyApp.woa/wo/bh4RYkawiiEbd945Xo3jdg/1.3.3.0.1
^^^^^^^^^^^^^^^^^^^^^^
The numbers thereafter identify (1) the transaction number (context ID),
and (3.3.0.1) which element was clicked on last time.
(The session ID can actually be put into a cookie.)
The WebObjects adaptor automatically routes each request to the
appropriate application instance, and the instance directs events at the
appropriate session...
I'm primarily interested in security implications - for example, can
sensitive
data be reverse engineered,
No.
... none of the internal workings are exposed to the user.
and can the page pointed to by the URL be set
to expire the way a cookie can?
Sessions do have an expiration time, by default one hour after the user
last did anything. If you want to ensure no-one can "break into" a
session, however, you'll have to layer your own security mechanism on
top, such as HTTP authentication, SSL etc. just as you would any
standard web application.
For more about WebObjects administration or development, you should
probably look at Omni's lists:
email@hidden
http://www.omnigroup.com/mailman/listinfo/webobjects-admin
email@hidden
http://www.omnigroup.com/mailman/listinfo/webobjects-dev
mmalc