On 03 Oct 2009, at 05:25, Hassan Schroeder wrote: >> However, cookieless sessions (where the session id is passed on >> through >> parameters is > > one view: "generally a bad idea and poses a very big security risk > (users can post a url with the session part included)." > > another view: an accepted practice on other platforms aware that > mandating the use of cookies for full functionality may be culturally > inappropriate or outright illegal. And if there's anything > sensitive -- > financial, health, personal privacy -- involved in your app, then you > should be using SSL anyway, which negates the above concern. :-)
You are missing the point here. Let's say you have average Joe using your site and logging in to get to personal information. He wants to link a public part of the site on Facebook and copies the url and pastes it in Facebook: https://mysite.com/some-public-part/article-1?_session_id=4da564c784511cdf Whether you are using SSL or not, anyone that clicks the url before the session expires, will be logged in as average Joe, unless you somehow bind sessions to IPs or whatever. Even then certain privacy issues would come into play if someone on the same network would click the url. Using cookies is a way of protecting users against themselves. Best regards Peter De Berdt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
