[Phplib-users] Re: [Phplib-core] session stealing and fallback_mode=get
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-users] Re: [Phplib-core] session stealing and fallback_mode=get
|
From: Richard A. <rh...@ju...> - 2002-05-29 21:14:40
|
At 6:09 PM +0200 29/5/02, Giancarlo Pinerolo wrote: >I think that if 'cookie' is set and cookies are on, it should definitely >use them. While it seems to be driven into the fallback mode when the >session is present in the URL. Aah, but cookies are not always available, and it is IMHO extremely unwise to lock a class of user out of a site just because they have cookies disabled. And especially unwise to lock out the most tech-savvy users. Perhaps PHPLIB should allocate a new session ID and invalidate the old one under certain circumstances: * session ID was passed by get * referer is not within our domain (yes, I know referer headers are not to be trusted or relied upon) * an unknown session ID is received by any method If this was done, for sites in get mode or users in fallback mode, the session ID would change for each page. This would render the back button and bookmarks useless. Also, if mode=cookie, the site would try to set a new cookie for each page view where the session ID was received by get. ...Richard. |
