|
|
Posted by "Richard Lynch" on 10/19/57 11:31
On Tue, November 8, 2005 7:32 pm, Ben Ramsey wrote:
> I think the approach here will need to err on the site of caution. You
> don't want to pass the session identifier through the URL (or POST)
> too
> much because it risks exposure and the possibility for session
> hijacking, though it should be possible to do this and grab the
> session
> information for the session id from the directory where sessions are
> stored (often times this is in /tmp). I would advise against this for
> reasons I've already mentioned.
Call me crazy, but the session_id is already going in/out through
Cookie headers.
So, really, it's not THAT much less secure for it to go in POST, and
only nominally less secure to go in GET, is it?...
I guess some kind of cross-site scripting hack might read HTML but not
Cookies, though, really, you'd think most XSS hacks would focus on
cookies at least as much as HTML source...
There is some argument in favor of not sending/getting the session_id
back and forth AS MUCH just to give it a more fleeting existence on
the wire for snoopers, but the difference between COOKIE/POST/GET data
integrity/security from snooping seems negligible to this naive user.
Maybe this is just a knee-jerk reaction to all the mis-information
about POST being "more secure" than GET that floats all over the 'net.
:-)
[Hi Ben!]
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|