> CF somehow associates that session with that client,
> therefore, the spider appears to be a valid client.
I would go a step farther and say that it is a valid client. There's no
difference between one HTTP client and another, from the web server's
perspective, beyond the User-Agent string that each client sends to identify
itself.
> Once it has the session, what keeps it from posting a
> million times on that session?
Your code would have to prevent this, if you didn't want it to be a
possibility.
> CF has to set something on the client (cookie or token or
> something) to keep the session alive, and couldn't the
> browser/spider spoof that?
If by "spoof", you mean that one HTTP client could send a token that
belonged to another HTTP client, yes. If one HTTP client simply returns the
same token it received, it's not spoofing anything, whether it's a spider or
a browser.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
