>>>>> "Serge" == Serge Sozonoff <[EMAIL PROTECTED]> writes:
Serge> Hello,
>> It will work fine, but the problem still remains that the
>> incoming page URL has the session-id in it, so that when you go
>> offsite, the referer header sent by the client has the client's
>> session id in it still, and the unethical webmaster could easily
>> then access the users sessions by looking at the referer logs.
Serge> There is a little article about cookie-less sessions at:
Serge> www.webdevelopersjournal.com/columns/stateful.html
And this method requires client-side javascript enabled (mine is not,
thank you), *and* frames your entire site, so bookmarking is useless.
Nope, I wouldn't put it into the "useful robust" category.
You're still back to:
cookies (maybe disabled)
hidden fields (only with form submissions)
mangled URLs (all pages must be dynamic generated)
auth (like BasicAuth where you "log in")
And one *new* one that I pondered recently, that can be used as long
as you presume HTTP/1.1...
I don't have time to write it up here, but it permits:
1) bookmarking of sessions
2) no rewriting of URLs for static pages, even if they have links
3) access to session ID even by mod_cgi scripts
4) new sessions are started by a simple external redirect
5) one simplePerlTransHandler could provide the master session-start for any URL
downside: you must have access to a UDP port 53 somewhere and DNS delegation
I'll write up more after I've done some testing.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
