> On Fri, Apr 04, 2003 at 03:34:25PM +0200, Frank Maas wrote:
>> You can set a session (see Apache::Session and related modules) that
>> can use the uri as session-container as well (eg
>> http://www.example.com/9o79876a98d7fa98d7/path/to/doc). The session
>> part (9o79876a98d7fa98d7) can be stored in a database.
>>
>> Success.
>
> Technically, that doesn't solve the problem either. Since the session
> information is in the URL, there is nothing to stop the user from IM
> that URL to their friend, who then has total access, without a
> cookie, just by using the current users session.
>
> I must not fully understand the taboo against using cookies. It's
> rare that an online application, e-commerce related or otherwise,
> works without cookies. If you're doing anything more than browsing
> static data, you'll quickly become fustrated at the lack of support
> for non-cookie-enabled browers.
On the latter I totally agree. To avoid the session snatching you
describe, you can store IP addresses on your site in the database.
You won't solve proxyserver-problems with this though. So what about
the following approach:
* a user logs on and you issue a session, as part of the uri
* when the user requests another page, you fetch the session
from the uri, check it against your database and (let's
assume it's correct) you allow access but while issueing
a new session
If this works (and as some people consequently add 'untested') then
session snatching becomes a hell of a job. If one user logs in, and
the other copies the session and retrieves a page, the session
changes, so the first user has to copy the new session again. Sounds
promising.... But to return to my first phrase: with cookies it's
much more simple.
--Frank
PS: What I never got though... how 'bout stealing cookies from
someones system?
