JavaScript considered harmful (was Re: New online index to Beazley's tutorials)

Michael Ströder michael at
Tue Jan 8 16:33:13 CET 2002

Aahz Maruch wrote:
> Too many sites misuse cookies, so lots of people
> turn cookies off. 

Me too. :-)

> but cookies for sessions IDs is absurd.

Why? It's generally harder to hijack cookie-based session IDs than
URL-based session IDs (think of Referer-URLs sent by browsers and
tricking web browser via Javascript, cross-site scripting attacks

But I don't use cookies since I have cookies turned off. Instead I'm
trying to prevent session hijacking with checking CGI-BIN vars
assumed to be constant throughout the whole session. Check out my
module pyweblib.session used in e.g. web2ldap (see Also all external links in
web2ldap are redirected by an internal URL redirector sending a new
HTML page to prevent the browser from sending a referer URL.

Ciao, Michael.

More information about the Python-list mailing list