Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.
Erik On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont <corentin.dup...@gmail.com> wrote: > Yes, having a cookie to keep track of the session if something I plan to do. > > On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala <mats.rauh...@gmail.com> > wrote: >> >> The user id is not necessarily the problem, but rather that you can >> impose as another user. For this, one solution is to keep track of a >> unique (changing) user token in the cookies and use that for verifying >> the user. >> >> -- >> Mats Rauhala >> MasseR >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (GNU/Linux) >> >> iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql >> tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt >> =tf0d >> -----END PGP SIGNATURE----- >> >> >> _______________________________________________ >> Haskell-Cafe mailing list >> Haskell-Cafe@haskell.org >> http://www.haskell.org/mailman/listinfo/haskell-cafe >> > > > _______________________________________________ > Haskell-Cafe mailing list > Haskell-Cafe@haskell.org > http://www.haskell.org/mailman/listinfo/haskell-cafe > _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
