>I did some experimental work like this back when I first
>implemented the cookiless session stuff for Apache::ASP,
>and I found the same thing, that the meta refresh was really
>the only way to go with redirecting offsite. This would
>probably be the same for a javascript redirect too ( untested ).
cool - thanks
>
>When it comes to session ids in URIs I also wonder about
>cases like search engines indexing pages with them, and
>then someone coming along later and using an old session id,
>this really makes it important to garbage collect old
>sessions so that this session id reuse doesn't hurt. Most
>major search engines have a very large index refresh window
>such that even old sessions that expire in a day should be
>enough protection.
I suppose that's true for unauthenticated state management, which I actually
hadn't been thinking about - good point.
--Geoff
