This is no more or no less security with cookies when compared with URL
rewriting. Many web servers have extended logs turned on and capture cookies in
the access logs. This is not a security issue, it is a convenience issue.
Cookies are automatically supported by most browsers, therefore it is easy to
use them unless someone turns them off. URL rewriting is a big pain in the #$%!
because it forces the programmer to come up with an alternative to cookies.
The only reason some people don't like cookies, is because they feel violated
that some unknown group could potentially keep track of their usage behavior
and use this information for unknown purposes. It's paranoid to interpret that
the use of cookies in this way is for some nefarious purpose, but, you know
what they say, perception is reality. So, this is why the manufacturers of
browsers give customers the option of turning cookies on or off, because some
people are paranoid and ignorant.
-ernie
Kief Morris wrote:
> > > You are correct. And that is one more reason to only use
> > cookies to save
> > > session tokens instead of using the URL.
> >
> > What are you talking about? If someone is hacking your site,
> > it won't matter
> > if it is with a cookie or a token in the URL. Putting it in a
> > cookie doesn't
> > make anything more secure.
>
> This is not entirely true - if you have an identifying token in
> the URL, it will be recorded in logs of any sites you have links
> to (in the HTTP_REFERER field). An nefarious employee of a site
> you link to could (theoretically) exploit this to hijack your
> users' sessions for evil purposes.
>
> Cookies are a tad more secure, then, especially with SSL sessions.
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
