On Tue, Aug 07, 2012 at 02:01:11PM +0200, Tomas Hrcka wrote: > On Mon, 2012-08-06 at 10:45 -0400, Matt Wagner wrote: > > I wonder if it would be lunacy to set a custom HTTP header, which looks > > to be possible through Backbone. Something along the lines of > > X-Is-Backbone or whatnot. This might be easier than trying to globally > > alter URLs, and it's a valid use of headers. Does this sound like lunacy > > to you guys? > > In a way isn't ^ the same as modifying URL? I mean the code > creating/modifying the header will be on client side...
It is pretty similar from that point. I was just recommending it because it seemed like it might be easier to implement. (But I could be wrong, too.) I think that indicating a request should _not_ keep your session active is okay. I don't see anything an attacker could do with that. Though I should note that I'm really just going by what seems to make sense to me, versus any sort of expert security background. -- Matt
