On 01/03/2003 07:31:31 PM Randall wrote: >> Be aware however, that having the session encoded in the URL makes session >> hijacking easier, and bookmarking harder. > >In what way does it make session hijacking easier? Sure, if you're >unencrypted, someone could see the URL session in the traffic as it >goes by, but the same is true of the _SID_ cookie, isn't it? So it >would seem that only SSL makes session hijacking hard, and it then >doesn't matter which one you use for security?
What I meant was that embedding the session ID in the URL makes it easier for someone to walk past your desk and get what they need to take over your session. This is not hijacking in the conventional sense. There is one scenario that is a hijack situation though... suppose you design a site that allows users to post URLs that other users can click on. To hijack sessions, a rogue user only has to post a URL that takes unsuspecting users to the other site. The victim(s) session ID is now available at the other site as part of the HTTP Referer header. It is possible to protect your users from this, but you need to take care to do so. ...Edmund. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
