Joshua Chamas <[EMAIL PROTECTED]> writes: > It reoccured to me just now (back from a sessions methods discussion a long > time ago) that these query string cookies might show up in the referer logs > of other sites if you have offsite links on your session id pages. I tried a > workaround just now where a redirect program would handle offsite links, but > the HTTP_REFERER is sticky to the last page visited, and I see no workaround > to this security issue. Instead of redirecting them offsite present a page saying "you're about to go offsite" and use a refresh meta tag to send them on their way. If you set the timeout on the refresh to 0 they won't even see the page and I would expect the referrer to still be set. You might even be able to use a refresh header instead of a meta tag and just use a static html page. -- greg
- Apache::ASP Serge Sozonoff
- ASP Cookieless Sessions (WAS Re: Apache::ASP) Joshua Chamas
- Re: ASP Cookieless Sessions (WAS Re: Apache::A... Matt Sergeant
- Re: ASP Cookieless Sessions (WAS Re: Apach... Joshua Chamas
- Re: ASP Cookieless Sessions (WAS Re: A... Serge Sozonoff
- Re: ASP Cookieless Sessions (WAS ... Joshua Chamas
- Re: ASP Cookieless Sessions (... Serge Sozonoff
- Re: ASP Cookieless Sessions (WAS ... Randal L. Schwartz
- Re: ASP Cookieless Sessions (... Cliff Rayman
- Bug in Apache's setting HTTP_COOK... Marc D. Spencer
- Apache::ASP Greg Stark
- Apache::ASP Mei Lam
- Apache::ASP don Wang
- Re: Apache::ASP Joshua Chamas
- Re: Apache::ASP don Wang
- Re: Apache::ASP Joshua Chamas
- Re: Apache::ASP don Wang
- Re: Apache::ASP Joshua Chamas
- redhat apache and modperl oh my! Clay
- Re: redhat apache and modperl oh ... Gerd Kortemeyer
- Re: redhat apache and modperl... Stas Bekman
