* Jonas Sicking wrote:
It was brought up by Billy Hoffman (http://zoompf.com) that some web
applications have very sensitive sessions and they are set up to expire the
session (ie, log the person out) if a request is received that has no
session cookie header in it, etc. The assertion was that
On Wed, 10 Nov 2010 21:40:01 +0100, Bjoern Hoehrmann derhoe...@gmx.net
wrote:
You can expire the client-side part of the session without knowing which
session it is, so long as the browser reads the Set-Cookie header in the
response. You could simply respond with an expired Set-Cookie header to
Ah okay. So that would never work. As things tagged with anonymous,
XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore
Set-Cookie headers.
First of all, a CORS xhr request could be made with credentials (since
they're available in the view-source JavaScript)... the
On Wed, Nov 10, 2010 at 2:43 PM, Getify get...@gmail.com wrote:
Ah okay. So that would never work. As things tagged with anonymous,
XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore
Set-Cookie headers.
First of all, a CORS xhr request could be made with credentials (since