Edmund Lian wrote: > On 01/03/2003 04:47:38 PM webware-discuss-admin wrote: > >I am looking to have WK be session aware when the client side cannot > support > >Cookies or POSTs (spefically, I am targeting Plucker on the Palm OS). > Is > >this doable/hackable? Ideas? > > ... is yes. There's a setting in Application.config to turn this on. > > Be aware however, that having the session encoded in the URL makes session > hijacking easier, and bookmarking harder.
In what way does it make session hijacking easier? Sure, if you're unencrypted, someone could see the URL session in the traffic as it goes by, but the same is true of the _SID_ cookie, isn't it? So it would seem that only SSL makes session hijacking hard, and it then doesn't matter which one you use for security? If this isn't correct, someone please enlighten me. -- Randall Randall <[EMAIL PROTECTED]> "[The] poetic justice of cause and effect compels respect, compassion." -- Faithless, God is a DJ. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
