How secure is session? I'm considering 2 methods for downloading a file:
The first is via an A('Download', _href=URL('download', 'file',
args=[file_id])). The second would be to have session.file_id = file_id and
then have only A('Download', _href=URL('download', 'file')), which causes
the app to get the file_id from session.
Assuming my app is bullet proof and only allows permitted users to access
their accessible file_ids, then wouldn't the use of session in the second
case be more secure because the file_id is never publicly exposed, and
thereby hackable?
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
