[Phplib-users] Re: [Phplib-core] session stealing and fallback_mode=get
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-users] Re: [Phplib-core] session stealing and fallback_mode=get
|
From: Giancarlo P. <gia...@na...> - 2002-05-30 00:30:19
|
Richard Archer wrote: > Aah, but cookies are not always available, and it is IMHO extremely > unwise to lock a class of user out of a site just because they have > cookies disabled. And especially unwise to lock out the most tech-savvy > users. > When they are enabled, they must be chosen as the mode. > Perhaps PHPLIB should allocate a new session ID and invalidate the old > one under certain circumstances: > > * session ID was passed by get > > * referer is not within our domain (yes, I know referer headers > are not to be trusted or relied upon) > > * an unknown session ID is received by any method > > If this was done, for sites in get mode or users in fallback mode, the > session ID would change for each page. This would render the back > button and bookmarks useless. > > Also, if mode=cookie, the site would try to set a new cookie for each > page view where the session ID was received by get. Really I haven't seen that. I think I've tried hard. If you offer a session in the query string, it's get all over, even if cookies are enabled. The best solution is to leave a cooke *anyway* on the 302 step. If they are disabled they won't hurt. Giancarlo > > ...Richard. > > _______________________________________________________________ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > _______________________________________________ > Phplib-core mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-core |
