Short answer: you can never completely trust anything that comes from any client. If you've got hefty security needs, program appropriately.
Kevin On 12/1/05, Jared Kuolt <[EMAIL PROTECTED]> wrote: > > Newb question out of left field: What's to prevent someone from > spoofing a Session ID? > > On 12/1/05, Kevin Dangoor <[EMAIL PROTECTED]> wrote: > > > > There's a discussion going on on the CherryPy list about putting > > session IDs in the URL and having the session filter automatically > > pull the ID out. I think this has come up here as well. > > > > As Remi points out in this thread (http://tinyurl.com/aez56), CherryPy > > doesn't have any way to help you get your session ID in the URL. > > However, TurboGears *does* have a URL generation function. Its use is > > optional, but strongly recommended... it would be easy for that > > function to include a session ID, if needed... > > > > I just thought I'd bring this up for anyone else out there looking for > > sessions that don't require cookies. > > > > Kevin > > > > ---------- Forwarded message ---------- > > From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > > Date: Nov 30, 2005 8:28 PM > > Subject: [cherrypy-devel] Re: Sessions and cookies > > To: cherrypy-devel <[EMAIL PROTECTED]> > > > > > > > > Interesting. After thinking about it some more, there are some > > tremendous technological issues with rewriting URLs. The problem, as > > your comments suggest, is that a parser and javascript wrapper library > > are necessary. Funny enough, I built an entire web proxy that had a > > complete HTML parser and javascript wrapper library that rewrote URLs > > for a client years ago - it was a monumental task and would add way too > > much bloat to cherrypy. > > > > That said, I think this suggests are more generalized solution: the > > creation of a simple interface for sessionID extraction/insertion which > > allows users to plug in their particular implementation. So, for > > example, each of sessionfilter's methods could reference whatever class > > the user defined in the config (much as one can currently define > > classes to run when sessions are created or destroyed). For each method > > in sessionfilter, a corresponding predetermined named method could be > > available in the user defined class. I think this essentially a > > strategy design pattern. > > > > I think the primary point I'm trying to make is that coupling sessions > > with cookies is unnecessary. Providing a mechanism for developers to > > implement their own sessionID extraction/insertion techniques gives > > them a real sense of freedom: as web applications (using xml-rpc,soap, > > etc), not just websites, become increasingly common, this will prove > > particularly important. > > > > As an aside, how exactly does one offer actual code for possible > > integration? Should I just code up a prototype and post it somewhere? > > If so, where? > > > > > > > > -- > > Kevin Dangoor > > Author of the Zesty News RSS newsreader > > > > email: [EMAIL PROTECTED] > > company: http://www.BlazingThings.com > > blog: http://www.BlueSkyOnMars.com > > > > > -- > [EMAIL PROTECTED] > -- Kevin Dangoor Author of the Zesty News RSS newsreader email: [EMAIL PROTECTED] company: http://www.BlazingThings.com blog: http://www.BlueSkyOnMars.com
