On Wed, 10 May 2000, harm wrote:

> On Tue, May 09, 2000 at 03:36:38PM -0700, Jeffrey W. Baker wrote:
> > > 
> > > The cool thing about this is that relative links need not be rewritten at 
> > > all, the browser handles it!
> 
> <snip>
> 
> > 
> > I like to use session ids at the beginning of the URL for another
> > reason: the users understand it.  For example, if they visit a URL:
> > 
> > https://secretstartup.com/home/abcdef0987654321/foo/bar/baz/quux
> 
> Ok, that`s convenient, but what if the user follows a link to a different
> site? Those having access to the logfile of the new site will be able to snoop the
> sessionid`s if they are fast enough (or have a script monitoring the
> logfiles) via the referer header. 

That's a known problem regardless of whether the ID is at the beginning,
the end, or in the query string.  When linking to non-trusted sites, you
must always use an intermediate page to scrub the referer.  People leaving
my current project appear to have come from /leave.

IMHO the browsers should not send Referer when using SSL and jumping from
one host to another.

-jwb

Reply via email to