On Thu, 27 Dec 2001, Wojciech Kocjan wrote: > First of all, why do I need cookie? My SIDs are 32bytes long so guessing > it could be a bit of a PITA. And if someone would sniff the SID, he > could set his browser's cookies to send this SID. So I don't understand > how cookies might help? [especially that they are sent from a > potentially untrusted user]
The one way cookies can help avoid hijacking is in a security-through-obscurity sense, since it's more difficult to set a cookie using the conventional command-line tools, or even through browsers (browsers I use allow viewing and deleting of cookies, but not creation, as far as I know). > And about relative links, I guess that using > <BASE HREF="http://www.domain.com/sid0123456789ABCDEF";> should solve > relative this problem as well :-) You could also tack the sid on to the end of the url, after the pagename, so that the sid is available as path_info.
