On Mon, 2001-11-12 at 16:39, Tom Collins wrote: > At 7:15 PM -0600 11/11/01, Bill Shupp wrote: > >Since the session id would need to be stored in all URLs and form, > >this is where most of the work would be in converting qmailadmin to > >use session ids rather than IP addresses. > > > >The good news is that qmailadmin would remain cookie free. I just > >implemented a similar scenario in PHP4 with its new session support. > >Seems to work pretty well. > > Why is storing the session id in the URLs/FORMs preferable to a > session cookie that expires when the user quits their browser (or > "logs out")? > > It seems like it would be a lot of work to modify the URLs and FORMs > through qmailadmin as opposed to modifying the code that > authenticates the session. That session id could leak into the > Referrer field if there are any "off site" links that appear in > qmailadmin. > > Aren't cookies supported in most browsers (at least any capable of > displaying the qmailadmin interface)? Could you fall back on > IP-based sessions if the user is unwilling to accept a cookie? > > cookies != evil
Unfortunately for many people, cookies == evil That's why we first wrote qmailadmin the way it is. Ken Jones
