Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Re^3: Just Another Question About Sessions

by seattlejohn (Deacon)
on Sep 26, 2005 at 20:23 UTC ( #495210=note: print w/replies, xml ) Need Help??

in reply to Re^2: Just Another Question About Sessions
in thread Just Another Question About Sessions And User Management

an embedded sessionid in urls... still offers security, particularly if web pages check the sessionid against the incoming IP address.

I believe this to be an oversimplification. Different users can have the same apparent IP address thanks to proxy servers. Additionally, as described in "Writing Apache Modules with Perl and C", URLs with session data can leak out to other sites via the HTTP Referer (sic) header if your site links to external resources or if a visitor leaves your site for another.

MSDN Magazine has an document on maintaining session state that points out, "[Embedding session IDs in URLs] is discouraged from the security perspective because cookieless IDs lend themselves better to discovery and spoofing, and to injection by link posting or phishing attacks".

As I see it, there's a balance to be struck between alienating users who don't want to accept cookies and accepting the somewhat heightened risk of using session IDs embedded in URLs in the absence of cookies.

        $perlmonks{seattlejohn} = 'John Clyman';

  • Comment on Re^3: Just Another Question About Sessions

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://495210]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (5)
As of 2023-02-01 12:41 GMT
Find Nodes?
    Voting Booth?
    I prefer not to run the latest version of Perl because:

    Results (2 votes). Check out past polls.