JavaScript considered harmful (was Re: New online index to Beazley's tutorials)

Michael Ströder michael at stroeder.com
Tue Jan 8 16:33:13 CET 2002


Aahz Maruch wrote:
> 
> Too many sites misuse cookies, so lots of people
> turn cookies off. 

Me too. :-)

> but cookies for sessions IDs is absurd.

Why? It's generally harder to hijack cookie-based session IDs than
URL-based session IDs (think of Referer-URLs sent by browsers and
tricking web browser via Javascript, cross-site scripting attacks
etc.).

But I don't use cookies since I have cookies turned off. Instead I'm
trying to prevent session hijacking with checking CGI-BIN vars
assumed to be constant throughout the whole session. Check out my
module pyweblib.session used in e.g. web2ldap (see
http://www.stroeder.com/pylib/PyWebLib/). Also all external links in
web2ldap are redirected by an internal URL redirector sending a new
HTML page to prevent the browser from sending a referer URL.

Ciao, Michael.



More information about the Python-list mailing list