Same issue, but what about people who email a link to your site, or create a link to your site by c/p from the url window.
That could be a serious security liability. Someone has an account on your site, then pastes a link to your site somewhere, and whammo, everyone else has access to their account.
I'm thinking I don't like this idea much. Perhaps it'll work to supplement cookies, but not replace them.
matt
On 12/1/05, Bryan Murdock <[EMAIL PROTECTED]> wrote:
Nother n00b question from left field, what's the problem with just
using cookies?
Bryan
On 12/1/05, Kevin Dangoor <[EMAIL PROTECTED]> wrote:
>
> Short answer: you can never completely trust anything that comes from
> any client. If you've got hefty security needs, program appropriately.
>
> Kevin
>
> On 12/1/05, Jared Kuolt <[EMAIL PROTECTED]> wrote:
> >
> > Newb question out of left field: What's to prevent someone from
> > spoofing a Session ID?
> >
> > On 12/1/05, Kevin Dangoor <[EMAIL PROTECTED] > wrote:
> > >
> > > There's a discussion going on on the CherryPy list about putting
> > > session IDs in the URL and having the session filter automatically
> > > pull the ID out. I think this has come up here as well.
> > >
> > > As Remi points out in this thread (http://tinyurl.com/aez56), CherryPy
> > > doesn't have any way to help you get your session ID in the URL.
> > > However, TurboGears *does* have a URL generation function. Its use is
> > > optional, but strongly recommended... it would be easy for that
> > > function to include a session ID, if needed...
> > >
> > > I just thought I'd bring this up for anyone else out there looking for
> > > sessions that don't require cookies.
> > >
> > > Kevin
> > >
> > > ---------- Forwarded message ----------
> > > From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > > Date: Nov 30, 2005 8:28 PM
> > > Subject: [cherrypy-devel] Re: Sessions and cookies
> > > To: cherrypy-devel <[EMAIL PROTECTED] >
> > >
> > >
> > >
> > > Interesting. After thinking about it some more, there are some
> > > tremendous technological issues with rewriting URLs. The problem, as
> > > your comments suggest, is that a parser and _javascript_ wrapper library
> > > are necessary. Funny enough, I built an entire web proxy that had a
> > > complete HTML parser and _javascript_ wrapper library that rewrote URLs
> > > for a client years ago - it was a monumental task and would add way too
> > > much bloat to cherrypy.
> > >
> > > That said, I think this suggests are more generalized solution: the
> > > creation of a simple interface for sessionID extraction/insertion which
> > > allows users to plug in their particular implementation. So, for
> > > example, each of sessionfilter's methods could reference whatever class
> > > the user defined in the config (much as one can currently define
> > > classes to run when sessions are created or destroyed). For each method
> > > in sessionfilter, a corresponding predetermined named method could be
> > > available in the user defined class. I think this essentially a
> > > strategy design pattern.
> > >
> > > I think the primary point I'm trying to make is that coupling sessions
> > > with cookies is unnecessary. Providing a mechanism for developers to
> > > implement their own sessionID extraction/insertion techniques gives
> > > them a real sense of freedom: as web applications (using xml-rpc,soap,
> > > etc), not just websites, become increasingly common, this will prove
> > > particularly important.
> > >
> > > As an aside, how exactly does one offer actual code for possible
> > > integration? Should I just code up a prototype and post it somewhere?
> > > If so, where?
> > >
> > >
> > >
> > > --
> > > Kevin Dangoor
> > > Author of the Zesty News RSS newsreader
> > >
> > > email: [EMAIL PROTECTED]
> > > company: http://www.BlazingThings.com
> > > blog: http://www.BlueSkyOnMars.com
> > >
> >
> >
> > --
> > [EMAIL PROTECTED]
> >
>
>
> --
> Kevin Dangoor
> Author of the Zesty News RSS newsreader
>
> email: [EMAIL PROTECTED]
> company: http://www.BlazingThings.com
> blog: http://www.BlueSkyOnMars.com
>
