Dan Hardiker wrote: >>URL based sessin management has more risks than cookie's. >>Please advise people to consider risks :) > > > but cookies arent always enabled (in my area of deployment 90% dont have > them enabled) .. and the fact is no matter where the data goes client > side, the data can still be pulled.
Right. That's why I ask users to enable cookie if I need more security. I'm not saying we should not use URL based session ID. Some mobile browsers do not have cookie feature at all. What I'm insisting is we should let users know what kind of risks are involved with URL based session. (Assuming users know issues/risks with session management with cookie :) -- Yasuo Ohgaki -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
