[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security fix that started all this

Subject: Re: Security fix that started all this
From: Tony Fraser <..hidden..>
Date: Fri, 08 Sep 2006 16:34:10 -0700

On Fri, 2006-09-08 at 16:19 -0400, David Van Ginneken wrote:
>         Your approach is interesting.  I'm not sure it is doable since
>         (If I am understanding it correctly)  it requires every link
>         to be the result of a posted form.  All of the menu links
>         would not work correctly.  

I works just as well with GET requests. You just have to include the
session token in the query string.

>         You still would be able to pass the sessionid around in the
>         URL to rid the need for cookies. Similiar to how the timestamp
>         was done in the past.  But we could remove the timeout & login
>         information and keep that server side. 

I don't use a session id. I'll post the patch over the weekend some
time. I don't have time to clean it up and ready for public consumption
right now.

-- 
Tony Fraser
..hidden..
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398

Follow-Ups:
- Re: Security fix that started all this
  - From: Tony Fraser

References:
- Security fix that started all this
  - From: Tony Fraser
- Fwd: Security fix that started all this
  - From: Christopher Murtagh
- Re: Security fix that started all this
  - From: Tony Fraser
- Re: Security fix that started all this
  - From: David Van Ginneken

Prev by Date: Re: Security fix that started all this
Next by Date: Re: Security fix that started all this
Previous by thread: Re: Security fix that started all this
Next by thread: Re: Security fix that started all this
Index(es):
- Date
- Thread