[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security fix that started all this

On Fri, 2006-09-08 at 16:19 -0400, David Van Ginneken wrote:
>         Your approach is interesting.  I'm not sure it is doable since
>         (If I am understanding it correctly)  it requires every link
>         to be the result of a posted form.  All of the menu links
>         would not work correctly.  

I works just as well with GET requests. You just have to include the
session token in the query string.

>         You still would be able to pass the sessionid around in the
>         URL to rid the need for cookies. Similiar to how the timestamp
>         was done in the past.  But we could remove the timeout & login
>         information and keep that server side. 

I don't use a session id. I'll post the patch over the weekend some
time. I don't have time to clean it up and ready for public consumption
right now.

Tony Fraser
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398