Feature #7598


Consider providing independent weakSessionIds to identify private WResource URLs

Added by Bruce Toll almost 4 years ago. Updated almost 3 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


As of github wt 4.3.0-29-g817a7869, wt uses a single sessionId to identify both application sessions and private resources. This facilitates the typical case where both are used together.

If, however, a private resource URL gets shared outside the normal context, the use of a separate weakSessionId limited to serving resources provides an additional measure of protection.

Attached, for your consideration, is a series of patches providing support for weakSessionIds. The patches have been lightly tested with Wt 4.3.0-29-g817a7869. I also did some testing with callgrind and suspect the performance difference is unlikely to be noticed.

In the end, the implementation required more code than I expected, so the burden for review and testing may outweigh the extra functionality. The patch could be reduced in size by replacing the SessionEntry classes with lighter weight structs without accessors. That would also permit more stream-lined declarations for the SessionMaps, since they would not need access to private SessionEntry variables. However, the current patch series should be sufficient for evaluation....

The first patch adds support for the weakSessionId infrastructure, but continues to use the existing sessionId with WResources. Basically, it assigns an independent weakSessionId to each WebSession using generateSessionId and tracks this weakSessionId along with the existing sessionId in the SessionMap. To accommodate the extra index, the std::map is replaced with a boost::multi_index_container. There are additional notes in the commit message.

The second patch is small and enables the use of weakSessionIds for WResources. It only works for WResources with empty internalPaths and is limited to the http connector with shared sessions.

The third patch adds support for dedicated sessions.

The fourth patch disables weakSessionIds for the fcgi and isapi connectors. NOTE: Due to limitations of my test environment, I only verified that the http connector still works and that the fcgi connector builds.


Actions #1

Updated by Roel Standaert almost 4 years ago

  • Target version set to 4.5.0
Actions #2

Updated by Roel Standaert over 3 years ago

  • Description updated (diff)
  • Target version changed from 4.5.0 to 4.6.0
Actions #3

Updated by Roel Standaert almost 3 years ago

  • Target version changed from 4.6.0 to future

Also available in: Atom PDF