B.C. Lance wrote...
> one reason that i could think of for not including session id into URL and
> using cookies would be copy & paste.
>
> users could just copy and paste the url and send it to his/her friends. and it
> could be a considerably number of people. imagine couple of people clicking on
> the link. that session will be shared among that no. of active people at that
> particular time. in short, session hijacking will occur.
True, but my understanding is that I can also check this against the user's
IP address -- not perfect given NAT and proxies and all, but at least you'd
limit the damage. I'm sure some of the more experienced people on the list
can suggest additional stuff to check against.
--
Charles Wiltgen
"Well, once again my friend, we find that science is a two-headed beast.
One head is nice, it gives us aspirin and other modern conveniences...
but the other head of science is bad! Oh beware the other head of
science...it bites!" -- The Tick
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
