sorry - you peaked my interest so I have to jump the gun a little.
are you basing it on unique host names which are resolved by
some type of dns delegation?
if so, only problem is with SSL pages. the host name has to
match the one in the certificate otherwise the browser will
give a warning. in this case we would have to rely on the
first HTTP_REFERER from a non SSL page,
and then back to mangled URL's or hidden fields
(we know we are using a form or we wouldn't need SSL).
cliff rayman
genwax.com
"Randal L. Schwartz" wrote:
> >>>>> "Serge" == Serge Sozonoff <[EMAIL PROTECTED]> writes:
>
> Serge> Hello,
> >> It will work fine, but the problem still remains that the
> >> incoming page URL has the session-id in it, so that when you go
> >> offsite, the referer header sent by the client has the client's
> >> session id in it still, and the unethical webmaster could easily
> >> then access the users sessions by looking at the referer logs.
>
> Serge> There is a little article about cookie-less sessions at:
>
> Serge> www.webdevelopersjournal.com/columns/stateful.html
>
> And this method requires client-side javascript enabled (mine is not,
> thank you), *and* frames your entire site, so bookmarking is useless.
>
> Nope, I wouldn't put it into the "useful robust" category.
> You're still back to:
>
> cookies (maybe disabled)
> hidden fields (only with form submissions)
> mangled URLs (all pages must be dynamic generated)
> auth (like BasicAuth where you "log in")
>
> And one *new* one that I pondered recently, that can be used as long
> as you presume HTTP/1.1...
>
> I don't have time to write it up here, but it permits:
>
> 1) bookmarking of sessions
> 2) no rewriting of URLs for static pages, even if they have links
> 3) access to session ID even by mod_cgi scripts
> 4) new sessions are started by a simple external redirect
> 5) one simplePerlTransHandler could provide the master session-start for any URL
>
> downside: you must have access to a UDP port 53 somewhere and DNS delegation
>
> I'll write up more after I've done some testing.
>
> --
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
> <[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
> See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
