Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??

since the session ID is displayed in plain view in the browser's address bar and could be easily hijacked by a passerby

While I applaud your attention to security, I think you're passing the security boundary and into paranoia. If someone passing by can easily remember a sessionid then either your session ids are way too small or the person is wasting their time and should be in a casino somewhere counting cards.

But ... if you're still really worried, you could combine the true session id with something else, a nonce, that isn't seen by the passerby. Some people use the ip address of the incoming request but you really need to know your clients to do that (there could easily be lot's of clients coming from the same nat gateway). Or you could create a nonce on your own and insert it as a hidden field. The problem there ... every request would need to be a POST.

Personally, I've given up on the people who do not accept cookies. The only thing I try to do is minimize the number of cookies I create (I'm almost down to one!). It's a trade-off.

-derby

In reply to Re^2: Another question about session-id by derby
in thread Another question about session-id by lihao

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others rifling through the Monastery: (6)
As of 2024-03-28 08:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found