I can see how your approach adds functionality by performing as expected if
the user uses the Back button or opens the app. in more than one browser
window. The usual objection I've heard to using form fields is the security
risk of people changing hidden fields in ways unforseen before submitting
the form back, or of other people finding confidential data hidden in form
fields if the user walks away and leaves their browser open, or the web
page info gets hijacked somehow. Does your module address this, or is this
yet another tradeoff between security and functionality/convenience?
Wes Sheldahl
"David Harris" <[EMAIL PROTECTED]> on 02/20/2002 09:50:11 AM
To: "Perrin Harkins" <[EMAIL PROTECTED]>, "Drew Taylor"
<[EMAIL PROTECTED]>, "mod_perl Mailing List" <[EMAIL PROTECTED]>
cc:
Subject: RE: [OT-ish] Session refresh philosophy
Perrin Harkins [mailto:[EMAIL PROTECTED]] wrote:
> > I built and use a module that encodes a session hash into a
> > number of hidden fields with a security MD5 sum.
>
> Sounds a lot like CGI::SecureState. Have you ever looked at it?
My module doesn't need to store any information in a database or in the
filesystem. The entire state is given to the client in hidden form fields,
and is passed back to the server on the next request.
In addition, CGI::SecureState does not tie the state information to the
*page*. With my module (or any method that stores the *data* in a hidden
form field, not just a non-versioning key), state information is tied to
the
page. Let me explain:
