At 7:15 PM -0600 11/11/01, Bill Shupp wrote: >Since the session id would need to be stored in all URLs and form, >this is where most of the work would be in converting qmailadmin to >use session ids rather than IP addresses. > >The good news is that qmailadmin would remain cookie free. I just >implemented a similar scenario in PHP4 with its new session support. >Seems to work pretty well.
Why is storing the session id in the URLs/FORMs preferable to a session cookie that expires when the user quits their browser (or "logs out")? It seems like it would be a lot of work to modify the URLs and FORMs through qmailadmin as opposed to modifying the code that authenticates the session. That session id could leak into the Referrer field if there are any "off site" links that appear in qmailadmin. Aren't cookies supported in most browsers (at least any capable of displaying the qmailadmin interface)? Could you fall back on IP-based sessions if the user is unwilling to accept a cookie? cookies != evil -- Tom Collins, CTO InstallCo Computer Services [EMAIL PROTECTED] <http://www.installco.com/>
