Mark Fuller said:
I thought the problem with putting the session ID in the URL is that
the user might copy/paste the URL to others. When they try to use it,
the app would have no way to know it's not the real user?
Another problem is bookmarks. A user may bookmark a page, but when they
come back a couple of days later, the session has expired. They might also
email a link to others, and that link may not work for the same reason.
I think for my purposes having a 5 minute expiry time is sufficient to
preventing this kind of problem. If the session has expired it will renew
the session data. I am only using sessions to avoid having to do remote
calls for every request. I could also use the IP security feature and UA
matching to lock it down further but is not critical.
Cheers
Mark
##### CGI::Application community mailing list ################
## ##
## To unsubscribe, or change your message delivery options, ##
## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ##
## ##
## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ##
## Wiki: http://cgiapp.erlbaum.net/ ##
## ##
################################################################
