Jeffrey Baker wrote:
>
> Secure sessions are hard work. You need to sit down and evaluate whether or not you
>actually need *secure* sessions. If you decide that enough is at stake to really
>tighten the screws, then read on.
>
> The problem of the session ID in HTTP_REFERER is easy to tackle. You just need to
>rewrite every URL on your secure site to be a redirect from a page that doesn't
>include the session ID. For example:
>
> http://cnn.com/
>
> becomes
>
> http://myhost.com/strip_session?url=http://cnn.com/
>
> and the HTTP_REFERER at cnn.com doesn't include the session ID. Clearly the path
>strip_session needs to not require a session ID.
>
> -jwb
>
Does this really work ? I tried this locally, and it didn't.
The HTTP_REFERER was still sent as from the original page
even though there was an intervening redirect script.
This referer had the original session-id in it.
So a page like: page.asp?session-id=aasdfdasfdsafadsfadsf
which pointed to a redirect script for http://cnn.com like:
redirect.asp?url=http://cnn.com
At cnn.com, the HTTP_REFERER => page.asp?session-id=aasdfdasfdsafadsfadsf
not redirect.asp?url=http://cnn.com as I would have hoped.
I don't need these non-cookie secure sessions myself, but if
I am going to give ASP developers a session option, it should be
possible to make secure.
-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
