Rule #1: Never ever link directly to a remote site, but do it through a
redirector which makes sure that nothing that doesn't have to be sent to
the remote site gets sent to it. We use a handler that "listens" on
/redirect turns urls like:

        /redirect/http://www.disney.com 

to the obvious correct redirection directive without attaching anything
session related. The referer on the remote site sees
'http://some.host.com/redirect/http://www.disney.com'

Tobias

At 12:55 AM 5/10/00 +0200, harm wrote:
>> I like to use session ids at the beginning of the URL for another
>> reason: the users understand it.  For example, if they visit a URL:
>> 
>> https://secretstartup.com/home/abcdef0987654321/foo/bar/baz/quux
>
>Ok, that`s convenient, but what if the user follows a link to a different
>site? Those having access to the logfile of the new site will be able to 
>snoop the
>sessionid`s if they are fast enough (or have a script monitoring the
>logfiles) via the referer header. 
>


Reply via email to