Hi stefan,
any Proxy operator can do this with any non-SSL connection. One can spy session
ids in the URL, in the GET-parameters and the POST-parameters, also cookies and
basic auth passwords, also passwords in html forms - and every bit of data
that's send back.
Oh, and firewall operators and router operators and all people on the same
physical network can do the same...
That's the reason why someony implemented SSL :-)
Datum: 24.05.2001 18:02
An: "mod_perl" <[EMAIL PROTECTED]>
Betreff: Re: Appending Sessionid to all the urls
Nachrichtentext:
From: <[EMAIL PROTECTED]>
> A better way for session ids is to put them in front of the URI:
> http://www.nus.edu.sg/dfd3453/some/path/and/file.html
(...)
> These session ids are sticky as long as you only use relative paths in your
> html. Note: You may want to put your images in a directory that's not covered
by
> this handler and use absolute paths...
But wouldn't the session ID get sent to other (possible malicious) servers
as well - in the HTTP_REFERER, if the user clicks on an external link?
That might enable a script on that other server to grab your user's session.
I guess you could add an additional check including the original user's IP
address, but that's not really safe either. People working in the same
company could spy on each other if they use the same HTTP proxy.
Any known workarounds for this?
cheers,
stefan
