[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security fix that started all this
- Subject: Re: Security fix that started all this
- From: Tony Fraser <..hidden..>
- Date: Fri, 08 Sep 2006 16:34:10 -0700
On Fri, 2006-09-08 at 16:19 -0400, David Van Ginneken wrote:
> Your approach is interesting. I'm not sure it is doable since
> (If I am understanding it correctly) it requires every link
> to be the result of a posted form. All of the menu links
> would not work correctly.
I works just as well with GET requests. You just have to include the
session token in the query string.
> You still would be able to pass the sessionid around in the
> URL to rid the need for cookies. Similiar to how the timestamp
> was done in the past. But we could remove the timeout & login
> information and keep that server side.
I don't use a session id. I'll post the patch over the weekend some
time. I don't have time to clean it up and ready for public consumption
Sybaspace Internet Solutions System Administrator
phone: (250) 246-5368 fax: (250) 246-5398