Philip Mak wrote: > > I think that it may actually be harmful to power users in some cases if > you "PerlSetVar ParanoidSession 1". If the session key is stored in as a > URL string, and someone has two different kinds of web browsers open and > legitimately copies and pastes the URL from one web browser to another > (because your glitzy DHTML site won't work in Opera or something), > ParanoidSession will break it. >
You are right. This implementation was necessitated before by the ASP session implementation stating that a session had to be created if did not already exist for the incoming session id... ... but I change the Apache::ASP session implementation a while ago to create a new session id when an invalid one is incoming. I could use this approach here to fix the behavior you describe. The security effect would be the same for a hacker trying to guess session ids. I'll put this on my TODO. --Josh _________________________________________________________________ Joshua Chamas Chamas Enterprises Inc. NodeWorks Founder Huntington Beach, CA USA http://www.nodeworks.com 1-714-625-4051 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
