hi oxid-list, just some simple notes, ideas and questions concerning the oxsession:
1. i`m currently "implementing" the oxid shop in our content management system. everything works fine and the oxid eshop works and performs great in our cms. thanks to oxid! but during debugging the oxsession, i got the impression that it`s necessary to refactor that file ;) i think, it`s somehow a relict of oxid 3 :) 2. it would be very cool to have no sid, force_sid out there in urls and hidden fields. it`s no problem to build that with php. and of course, it looks more professional. the usage of force_sid to switch between ssl and non-ssl is also unnecessary. it`s no problem to use sessions between ssl and non-ssl. let`s remove sids from url, please :) 3. christopher has already explained the remoteaccess bug to the list. of course it`s somehow necessary to have a remoteaccess, especially for some modules (have a look at 5.). somehow for security reasons a boolean-parameter is perhaps to easy to use to "migrate sessions". (@oxid: it`s NOT a security issue, then i`ll use the official way!!!) of course, you have: 4. to do real session checks to avoid session hijacking, but that would be no problem. one big step to do that, is to remove sid from url ;) 5. to make it possible to "migrate session" for modules: payment-modules that call a special oxid-url by http-request. but i think we can create a better system than the remoteaccess param, for example an additional hash or something like that. feel free to explain and discuss :) would be very cool to see a "new" oxsession in one of the next release. sven _______________________________________________ dev-general mailing list [email protected] http://dir.gmane.org/gmane.comp.php.oxid.general
