Adi wrote:
>
> Thanks, Joshua. I tested out your development version 0.17 and it worked
> perfect for me.
>
> One thing I noticed was that if GetSession is improperly used, it could
> cause big security holes. By nature it will be used to access someone
> else's session, so the application should take care not to send the other
> SessionID across the net. Even within an SSL connection (as I'm using) it's
> not wise to even let one other person know the SessionID of another user. I
> made an internal 1:1 reference map of SessionIDs to unique identifiers which
> then can be sent over the net safely, to allow controlled access to other
> sessions.
>
> Anyway, just thought I'd mention this, though I'm sure you already realized
> it. You might want to put a note in your API documentation to take care not
> to reveal the SessionID when you use GetSession.
>
You make a very good point. I'll add it to the docs.
About your session manager, I have been thinking about
starting up some sample applications repository for PerlScript
ASP applications, which could be easily distributed with
Apache::ASP. Would you be interested in publishing some
genericized version of your session manager? It seems
like a cool app.
-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NODEWORKS >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
