> > If you happen to type in a URL, they can revive your > > session from the cookie. Pretty nifty trick. > > This would seem to be a security hole to me. URLs appear in the logs > of the server as well as any proxy servers along the way. If the URL > contains reusuable auth info, anybody accessing any of the logs could > gain access to customer accounts.
I disagree. The server logs are somewhat irrelevant because they should already be under access control, and they could contain anything including HTTP headers and content from post requests. As for proxies, they see the entire HTTP transaction anyway. If they aren't trusted, the data should be encrypted end-to-end with SSL. If the session-id is in the URL, an end-user cannot accidentally get a personalized page intended for somebody else. As you mentioned, you could prevent an intermediate cache from caching the page with a "Cache-Control: private", but you then need to trust that the cache is HTTP/1.1 compliant. If anybody is afraid of using Amazon now, I believe David mentioned in a previous post that Amazon switches to SSL (and a new session id) whenever you deal with data they feel should be kept private. :-) - Kyle