> -----Original Message----- > From: Daniel Rossi [mailto:[EMAIL PROTECTED] > Sent: 12 October 2007 12:09 > To: Zend Framework General > Subject: [fw-general] Securely exposing session id from Zend_Auth > > Hi there, tricky question I have a project which is using > Zend_Auth, however when loading a controller via a windows > media player plugin in firefox, the netscape plugin will > attempt to create its own session cookie requring the session > id to be sent in the params to the controller outputting a > playlist. How is it possible to securely expose the session > id, ie encrypting it and adding as a javascript variable , so > it can be sent along with the request to the src of the > plugin object code. > > Sorry if this might sound confusing here is how the > javascript code builds the embed like > > src='/videocontroller/k/sessionidhere' > > My issue is if its exposed is it possible to add the session > cookie into another browser to get around the Zend_Auth login ?
Do you need to access the session for the video url, or is it just to ensure that only logged in people can view videos? If the latter, just create use a unpredictable token. For instance a hash of the url, a secret key, and the time. And use a url like /videocontroller/hash/time . The the video controller can validate the hash, check the time isn't too distant, and then stream the video. Jared
