Frank Barknecht wrote: > Hi, > > maybe you have already seen this one some news sites, but this > document on "Session Riding" [1] IMO discusses a very important > security issue with web based applications like you all probably > develop with Webware, too, and it shines new light on the Cookie vs. > URL-session debate. Essential reading! > > [1] http://www.securenet.de/papers/Session_Riding.pdf > > Ciao
Using the latest Webware CVS as of a few minutes ago, if you use UseAutomaticPathSessions=True with UseCookieSessions=False then the session id is exclusively embedded in the URL and never sent in a cookie, so based on my reading of the article, this should be safe from session riding. Other than ugly URL's, a drawback is that this method _always_ starts a new session, even if the request doesn't need a session, because right at the beginning of request processing, it issues a redirect to include a session ID in the URL, before it knows if a session is needed. I don't know how to get around that problem easily. - Geoff ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
