Hi Sven, I know that sid param is ugly and as you probably noticed we try to avoid using it as much as possible. Unfortunately we can not fully get rid of it. Shop remote access, disabled cookies, some security considerations or switching between ssl and not ssl mode (think about http://shop.com and https://sharedsecureserver.com/shop.com ) are just a few reasons to keep it. Passing some hash value as you suggest doesn't solve this problem, we still need one or another param :)
Regards Tomas Liubinas > -----Original Message----- > From: [email protected] [mailto:dev-general- > [email protected]] On Behalf Of Sven Tietje > Sent: Monday, November 02, 2009 12:38 PM > To: [email protected] > Subject: [oxid-dev-general] concept of oxsession > > hi oxid-list, > > just some simple notes, ideas and questions concerning the oxsession: > > 1. i`m currently "implementing" the oxid shop in our content management > system. everything works fine and the oxid eshop works and performs great > in > our cms. thanks to oxid! > > but during debugging the oxsession, i got the impression that it`s > necessary > to refactor that file ;) i think, it`s somehow a relict of oxid 3 :) > > 2. it would be very cool to have no sid, force_sid out there in urls and > hidden fields. it`s no problem to build that with php. and of course, it > looks more professional. the usage of force_sid to switch between ssl and > non-ssl is also unnecessary. it`s no problem to use sessions between ssl > and > non-ssl. > > let`s remove sids from url, please :) > > 3. christopher has already explained the remoteaccess bug to the list. of > course it`s somehow necessary to have a remoteaccess, especially for some > modules (have a look at 5.). somehow for security reasons a > boolean-parameter is perhaps to easy to use to "migrate sessions". (@oxid: > it`s NOT a security issue, then i`ll use the official way!!!) > > of course, you have: > > 4. to do real session checks to avoid session hijacking, but that would be > no problem. one big step to do that, is to remove sid from url ;) > > 5. to make it possible to "migrate session" for modules: payment-modules > that call a special oxid-url by http-request. but i think we can create a > better system than the remoteaccess param, for example an additional hash > or > something like that. > > feel free to explain and discuss :) > > would be very cool to see a "new" oxsession in one of the next release. > > sven > > _______________________________________________ > dev-general mailing list > [email protected] > http://dir.gmane.org/gmane.comp.php.oxid.general _______________________________________________ dev-general mailing list [email protected] http://dir.gmane.org/gmane.comp.php.oxid.general
