Re: No Cookie: how to implement session?
- From: Paul Rubin <http://phr.cx@xxxxxxxxxxxxxx>
- Date: 28 Mar 2006 11:30:05 -0800
Dennis Lee Bieber <wlfraed@xxxxxxxxxxxxx> writes:
Yes... And watch them flounder on sites that use cookies /for/ a
form of security (ie, those sites that require logins...) Cookies can be
set to expire, so the "session" can time-out... whereas...
Sites should never rely on cookies timing out. If there's any
security concern about session persistence and you don't want to track
the session timeout on the server, then encode an expiration time into
the cookie itself, and cryptographically authenticate the cookie.
I tried to add hidden field with a sessionID in every python CGI script
generated web pages, so everytime my client POST a request, the server
The trouble here is that it stops internal links (retrieved with GET
rather than POST) from working. So normally what you're describing is
done with session ID's in the url (see amazon.com for example). That,
too, isn't so great for security, especially for ecommerce sites,
since people tend to share url's with their friends. E.g., they'll
post to Usenet or web bbs's, So-and-so is offering a great deal on
Python manuals, the url is <http://whatever...> where "whatever"
includes the session ID. Anyone clicking the url then ends up with
the same shopping cart as the person who posted it.
To OP: keep in mind also that anyone who disables cookies probably
also disables javascript, so relying on javascript as you described
for redirection doesn't work too well either.
.
- References:
- No Cookie: how to implement session?
- From: Sullivan WxPyQtKinter
- No Cookie: how to implement session?
- Prev by Date: Re: trying to use popen2() to communicate with C program
- Next by Date: Doc suggestions (was: Why "class exceptions" are not deprecated?)
- Previous by thread: No Cookie: how to implement session?
- Next by thread: Re: No Cookie: how to implement session?
- Index(es):
Relevant Pages
|
|
