Gunther Birznieks <[EMAIL PROTECTED]> wrote:
> [2] Mangled URL Paths
>
> Isn't it possible to browse the history on the harddrive... so is this
> really more secure than non-persistent cookies?
Relying on browser based client side expiration is not a good idea, either for cookies
or for mangled URL's.
Either you store information about when the user identifier (cookie or url component)
was last used on the server, or you put expiration information in the cookie content
along with a cryptographically secure checksum (as described in the modperl book).
You must check the expiry time for every authenticated hit.
So what is the security advantage of mangled URLs over cookies for authentication?
Andrew McNaughton
--
Andrew McNaughton
+64 4 389 6891
[EMAIL PROTECTED]
http://www.scoop.co.nz/
