Ola Lundqvist <[email protected]> writes: > So regarding your throught about why Rack has this and not others. Well I > think all have the same issue. I think it is a little of a stretch that > this can be used in practice. I mean an attacker must do a broad search of > all possible session identifiers to make use of this. Or have I > misunderstood something?
I suspect you are mostly correct. However how many people would really notice if an attacker made numerous connections to their website in attempt to exploit this? -- Brian May <[email protected]>
