Geoffrey Young wrote:
>
> hi mungers...
>
> it there a more reliable way to not have your session id's show up in
> Referer headers than using a refresh tag? I've played around with various
> redirect methods, but both MSIE5 and Netscape4.7 hold on to the Referer from
> the original page and ignore the 302 page. seems like meta refresh is the
> only way to be sure.
>
> looking for expert opinions :)
>
I did some experimental work like this back when I first
implemented the cookiless session stuff for Apache::ASP,
and I found the same thing, that the meta refresh was really
the only way to go with redirecting offsite. This would
probably be the same for a javascript redirect too ( untested ).
When it comes to session ids in URIs I also wonder about
cases like search engines indexing pages with them, and
then someone coming along later and using an old session id,
this really makes it important to garbage collect old
sessions so that this session id reuse doesn't hurt. Most
major search engines have a very large index refresh window
such that even old sessions that expire in a day should be
enough protection.
--Josh
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks Founder Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
