Remi Fasol wrote:
>
> > On Tue, 7 Dec 1999, Joshua Chamas wrote:
> > > > > I am going to give ASP developers a session
> > option, it should be
> > > > > possible to make secure.
>
> Stas Bekman wrote:
> > But if you intercept the redirection, why not to
> > strip/modify the
> > HTTP_REFER header at the server side?
>
> how about a call to something like
>
> <a href="<%= $Server->StripSession('evil.perl.com')
> %>">evil perl session pirates</a>
> ...
I think that this will need to implemented by
the developer, since there needs to be a separate
page that serves as the redirector, so the client
will send that as the HTTP_REFERER.
I could potentially integrate this into Apache::ASP
as a prescript handler, where $Server->StripSession()
could just call the current script with querystring
__URL=$url&__SAFE=1, and the Apache::ASP would output
the <meta refresh> with some alternate <a href> html
for non-supporting browsers. There would be no real
script invocation besides this functionality, no
events called, nothing.
A problem here is the Apache::ASP is really extending
its model from a per script oriented model to a more
global handler, which I'm having a hard time with
conceptually. Also, this solution would reserve
parts of the QueryString's namespace for ASP use,
which has so far remained unscathed.
Thoughts?
-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
