On Wed, 10 May 2000, harm wrote:
> On Tue, May 09, 2000 at 03:36:38PM -0700, Jeffrey W. Baker wrote:
> > >
> > > The cool thing about this is that relative links need not be rewritten at
> > > all, the browser handles it!
>
> <snip>
>
> >
> > I like to use session ids at the beginning of the URL for another
> > reason: the users understand it. For example, if they visit a URL:
> >
> > https://secretstartup.com/home/abcdef0987654321/foo/bar/baz/quux
>
> Ok, that`s convenient, but what if the user follows a link to a different
> site? Those having access to the logfile of the new site will be able to snoop the
> sessionid`s if they are fast enough (or have a script monitoring the
> logfiles) via the referer header.
That's a known problem regardless of whether the ID is at the beginning,
the end, or in the query string. When linking to non-trusted sites, you
must always use an intermediate page to scrub the referer. People leaving
my current project appear to have come from /leave.
IMHO the browsers should not send Referer when using SSL and jumping from
one host to another.
-jwb
