Newb question out of left field: What's to prevent someone from spoofing a Session ID?
On 12/1/05, Kevin Dangoor <[EMAIL PROTECTED]> wrote: > > There's a discussion going on on the CherryPy list about putting > session IDs in the URL and having the session filter automatically > pull the ID out. I think this has come up here as well. > > As Remi points out in this thread (http://tinyurl.com/aez56), CherryPy > doesn't have any way to help you get your session ID in the URL. > However, TurboGears *does* have a URL generation function. Its use is > optional, but strongly recommended... it would be easy for that > function to include a session ID, if needed... > > I just thought I'd bring this up for anyone else out there looking for > sessions that don't require cookies. > > Kevin > > ---------- Forwarded message ---------- > From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Date: Nov 30, 2005 8:28 PM > Subject: [cherrypy-devel] Re: Sessions and cookies > To: cherrypy-devel <[EMAIL PROTECTED]> > > > > Interesting. After thinking about it some more, there are some > tremendous technological issues with rewriting URLs. The problem, as > your comments suggest, is that a parser and javascript wrapper library > are necessary. Funny enough, I built an entire web proxy that had a > complete HTML parser and javascript wrapper library that rewrote URLs > for a client years ago - it was a monumental task and would add way too > much bloat to cherrypy. > > That said, I think this suggests are more generalized solution: the > creation of a simple interface for sessionID extraction/insertion which > allows users to plug in their particular implementation. So, for > example, each of sessionfilter's methods could reference whatever class > the user defined in the config (much as one can currently define > classes to run when sessions are created or destroyed). For each method > in sessionfilter, a corresponding predetermined named method could be > available in the user defined class. I think this essentially a > strategy design pattern. > > I think the primary point I'm trying to make is that coupling sessions > with cookies is unnecessary. Providing a mechanism for developers to > implement their own sessionID extraction/insertion techniques gives > them a real sense of freedom: as web applications (using xml-rpc,soap, > etc), not just websites, become increasingly common, this will prove > particularly important. > > As an aside, how exactly does one offer actual code for possible > integration? Should I just code up a prototype and post it somewhere? > If so, where? > > > > -- > Kevin Dangoor > Author of the Zesty News RSS newsreader > > email: [EMAIL PROTECTED] > company: http://www.BlazingThings.com > blog: http://www.BlueSkyOnMars.com > -- [EMAIL PROTECTED]
