> > You are correct. And that is one more reason to only use
> cookies to save
> > session tokens instead of using the URL.
>
> What are you talking about? If someone is hacking your site,
> it won't matter
> if it is with a cookie or a token in the URL. Putting it in a
> cookie doesn't
> make anything more secure.
This is not entirely true - if you have an identifying token in
the URL, it will be recorded in logs of any sites you have links
to (in the HTTP_REFERER field). An nefarious employee of a site
you link to could (theoretically) exploit this to hijack your
users' sessions for evil purposes.
Cookies are a tad more secure, then, especially with SSL sessions.
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
