Re^2: CGI::Session --help

I have to advise against passing session informations in URLs because it can easily be a gaping security hole.

If some user sees an intersting page and publishes the URL somewhere (chat, bulletin board or whatever) all others are authenticated as the original user.

Perl 6 in German -- Difficult Sudoku

Comment on Re^2: CGI::Session --help

Replies are listed 'Best First'.
Re^3: CGI::Session --help by oxone (Friar) on Aug 28, 2007 at 12:06 UTC
You're right, but it does resolve the original request, which the much better cookie method doesn't. You could improve the security of a URL-based session id by: `use CGI::Session ( '-ip_match' );` [download] which will only allow the session if it's coming from the same IP number (downside: if your ISP changes your IP address mid-session, you'll be logged out). Also you can improve things a little by timing out the session relatively quickly. It's worth noting that the same security hole exists using cookies, in that somebody with a copy of your cookie could get access as you. It's just that it's a little harder for you to publish your cookie inadvertently. oxone \| www.datasalon.com	[reply] [d/l]
Re^4: CGI::Session --help by moritz (Cardinal) on Aug 28, 2007 at 12:16 UTC
You're absolutely right. Somehow the original question sounds like a XY Problem because it's not the usually desired behaviour.	[reply]
Re^5: CGI::Session --help by Anonymous Monk on Aug 29, 2007 at 04:13 UTC
I Asked X , I Mean X and I Want A Solution For X ...Period !! -- Thnx n Regards Cherry	[reply]