Frank Barknecht wrote:
> maybe you have already seen this one some news sites, but this
> document on "Session Riding"  IMO discusses a very important
> security issue with web based applications like you all probably
> develop with Webware, too, and it shines new light on the Cookie vs.
> URL-session debate. Essential reading!
>  http://www.securenet.de/papers/Session_Riding.pdf
Using the latest Webware CVS as of a few minutes ago, if you use
UseAutomaticPathSessions=True with UseCookieSessions=False then the session
id is exclusively embedded in the URL and never sent in a cookie, so based
on my reading of the article, this should be safe from session riding.
Other than ugly URL's, a drawback is that this method _always_ starts a new
session, even if the request doesn't need a session, because right at the
beginning of request processing, it issues a redirect to include a session
ID in the URL, before it knows if a session is needed. I don't know how to
get around that problem easily.