michael at stroeder.com
Tue Jan 8 16:33:13 CET 2002
Aahz Maruch wrote:
> turn cookies off.
Me too. :-)
> but cookies for sessions IDs is absurd.
Why? It's generally harder to hijack cookie-based session IDs than
URL-based session IDs (think of Referer-URLs sent by browsers and
trying to prevent session hijacking with checking CGI-BIN vars
assumed to be constant throughout the whole session. Check out my
module pyweblib.session used in e.g. web2ldap (see
http://www.stroeder.com/pylib/PyWebLib/). Also all external links in
web2ldap are redirected by an internal URL redirector sending a new
HTML page to prevent the browser from sending a referer URL.
More information about the Python-list