> On Fri, Apr 04, 2003 at 03:34:25PM +0200, Frank Maas wrote: >> You can set a session (see Apache::Session and related modules) that >> can use the uri as session-container as well (eg >> http://www.example.com/9o79876a98d7fa98d7/path/to/doc). The session >> part (9o79876a98d7fa98d7) can be stored in a database. >> >> Success. > > Technically, that doesn't solve the problem either. Since the session > information is in the URL, there is nothing to stop the user from IM > that URL to their friend, who then has total access, without a > cookie, just by using the current users session. > > I must not fully understand the taboo against using cookies. It's > rare that an online application, e-commerce related or otherwise, > works without cookies. If you're doing anything more than browsing > static data, you'll quickly become fustrated at the lack of support > for non-cookie-enabled browers.
On the latter I totally agree. To avoid the session snatching you describe, you can store IP addresses on your site in the database. You won't solve proxyserver-problems with this though. So what about the following approach: * a user logs on and you issue a session, as part of the uri * when the user requests another page, you fetch the session from the uri, check it against your database and (let's assume it's correct) you allow access but while issueing a new session If this works (and as some people consequently add 'untested') then session snatching becomes a hell of a job. If one user logs in, and the other copies the session and retrieves a page, the session changes, so the first user has to copy the new session again. Sounds promising.... But to return to my first phrase: with cookies it's much more simple. --Frank PS: What I never got though... how 'bout stealing cookies from someones system?