The phisher could easily be notified that the special session id was used and have a farm of wamr bodies ready to attack.
-Tim
Remy Maucherat wrote:
To address this, I propose simply reusing any session id presented by the client. As an option, this could be done only if emptySessionPath is true. I have tested it, and it works very well, addressing the problem with emptySessionPath="true". I could not think of any security issue this would cause (if the client submits a bogus insecure id, then he'll be the one being impacted), since the undelying session objects would be created and handled as usual. In "normal" more (emptySessionPath set to false), this would save costly session id generation.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]