Matt Sergeant wrote:
>
> I don't think there's a real option for making it secure. However I think
> the prefix (or postfix) method used in the Eagle book is a good one. Simply
> change the config to:
>
> PerlTransHandler Apache::ASP
>
> and in the handler go:
>
> sub handler {
> my $url_session = $r->dir_config('URLSessions');
> if ($r->current_callback eq 'PerlLogHandler') {
> if ($url_sessions) {
> # Get session ID from URL
> # store in notes or pnotes
> # Remove session ID from URL
> }
> else {
> # Get session ID from cookie
> # store in notes or pnotes
> }
> return $r->push_handler('PerlHandler', \&handler);
> }
>
> Am I missing some reason this won't work?
>
It will work fine, but the problem still remains that the
incoming page URL has the session-id in it, so that when you go
offsite, the referer header sent by the client has the client's
session id in it still, and the unethical webmaster could easily
then access the users sessions by looking at the referer logs.
-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
