On Monday, November 12, 2001, at 04:39 PM, Tom Collins wrote: > At 7:15 PM -0600 11/11/01, Bill Shupp wrote: >> Since the session id would need to be stored in all URLs and form, >> this is where most of the work would be in converting qmailadmin to >> use session ids rather than IP addresses. >> >> The good news is that qmailadmin would remain cookie free. I just >> implemented a similar scenario in PHP4 with its new session support. >> Seems to work pretty well. > > Why is storing the session id in the URLs/FORMs preferable to a session > cookie that expires when the user quits their browser (or "logs out")? > > It seems like it would be a lot of work to modify the URLs and FORMs > through qmailadmin as opposed to modifying the code that authenticates > the session. That session id could leak into the Referrer field if > there are any "off site" links that appear in qmailadmin. > > Aren't cookies supported in most browsers (at least any capable of > displaying the qmailadmin interface)? Could you fall back on IP-based > sessions if the user is unwilling to accept a cookie? > > cookies != evil
I'm not completely against cookies. I used them for all my web tools until recently for session management. However, I ran into many problems, almost exclusively with Microsoft Internet Explorer. Sometimes it was having to use specific time formats when deleting cookies, and in one case, I couldn't set a cookie for a duration of less than 2 hours. This was a real drag to say the least, and took a LONG time to track down. The "referrer leak" you mentioned above is definitely a valid concern, and I don't have a good solution for it (yet). I don't mind rewriting the URLs that much, if this will be a better solution. I'm just not convinced that cookies are the best solution, and I know that other people on this list are very opposed to them. Regards, Bill Shupp
