[Seaside-dev] RE: Rekeying Sessions
Julian Fitzell
jfitzell at gmail.com
Wed Mar 18 22:09:19 UTC 2009
On Wed, Mar 18, 2009 at 10:52 PM, Philippe Marschall
<philippe.marschall at gmail.com> wrote:
> 2009/3/18 Boris Popov <boris at deepcovelabs.com>:
>> Julian,
>>
>> Most certainly, there's really nothing in there that isn't generally known to Seaside folks already. There really were only 3.5 issues raised,
>>
>> 1. Session ID Stored in URL (Medium)
>
> I don't agree with this one. I don't see why additionally writing the
> session id to disk (that's what browsers do) adds any security. You
> still transmit it with every request, just in a different part of the
> HTTP header.
Presumably the issue they were concerned about is people passing URLs
around, no?
Julian
More information about the seaside-dev
mailing list