Nother n00b question from left field, what's the problem with just using cookies?
Bryan On 12/1/05, Kevin Dangoor <[EMAIL PROTECTED]> wrote: > > Short answer: you can never completely trust anything that comes from > any client. If you've got hefty security needs, program appropriately. > > Kevin > > On 12/1/05, Jared Kuolt <[EMAIL PROTECTED]> wrote: > > > > Newb question out of left field: What's to prevent someone from > > spoofing a Session ID? > > > > On 12/1/05, Kevin Dangoor <[EMAIL PROTECTED]> wrote: > > > > > > There's a discussion going on on the CherryPy list about putting > > > session IDs in the URL and having the session filter automatically > > > pull the ID out. I think this has come up here as well. > > > > > > As Remi points out in this thread (http://tinyurl.com/aez56), CherryPy > > > doesn't have any way to help you get your session ID in the URL. > > > However, TurboGears *does* have a URL generation function. Its use is > > > optional, but strongly recommended... it would be easy for that > > > function to include a session ID, if needed... > > > > > > I just thought I'd bring this up for anyone else out there looking for > > > sessions that don't require cookies. > > > > > > Kevin > > > > > > ---------- Forwarded message ---------- > > > From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > > > Date: Nov 30, 2005 8:28 PM > > > Subject: [cherrypy-devel] Re: Sessions and cookies > > > To: cherrypy-devel <[EMAIL PROTECTED]> > > > > > > > > > > > > Interesting. After thinking about it some more, there are some > > > tremendous technological issues with rewriting URLs. The problem, as > > > your comments suggest, is that a parser and javascript wrapper library > > > are necessary. Funny enough, I built an entire web proxy that had a > > > complete HTML parser and javascript wrapper library that rewrote URLs > > > for a client years ago - it was a monumental task and would add way too > > > much bloat to cherrypy. > > > > > > That said, I think this suggests are more generalized solution: the > > > creation of a simple interface for sessionID extraction/insertion which > > > allows users to plug in their particular implementation. So, for > > > example, each of sessionfilter's methods could reference whatever class > > > the user defined in the config (much as one can currently define > > > classes to run when sessions are created or destroyed). For each method > > > in sessionfilter, a corresponding predetermined named method could be > > > available in the user defined class. I think this essentially a > > > strategy design pattern. > > > > > > I think the primary point I'm trying to make is that coupling sessions > > > with cookies is unnecessary. Providing a mechanism for developers to > > > implement their own sessionID extraction/insertion techniques gives > > > them a real sense of freedom: as web applications (using xml-rpc,soap, > > > etc), not just websites, become increasingly common, this will prove > > > particularly important. > > > > > > As an aside, how exactly does one offer actual code for possible > > > integration? Should I just code up a prototype and post it somewhere? > > > If so, where? > > > > > > > > > > > > -- > > > Kevin Dangoor > > > Author of the Zesty News RSS newsreader > > > > > > email: [EMAIL PROTECTED] > > > company: http://www.BlazingThings.com > > > blog: http://www.BlueSkyOnMars.com > > > > > > > > > -- > > [EMAIL PROTECTED] > > > > > -- > Kevin Dangoor > Author of the Zesty News RSS newsreader > > email: [EMAIL PROTECTED] > company: http://www.BlazingThings.com > blog: http://www.BlueSkyOnMars.com >
