[Catalyst] Announcement - New session plugins
Yuval Kogman
nothingmuch at woobling.org
Wed Nov 9 02:05:47 CET 2005
On Tue, Nov 08, 2005 at 06:57:11 -0800, Bill Moseley wrote:
> On Tue, Nov 08, 2005 at 09:32:24AM -0500, Perrin Harkins wrote:
> > The way I've seen it done is to use both cookies and URL rewriting on
> > the first request, and then just turn off URL rewriting on the second
> > request if a cookie is found.
>
> Right, except the point of the second request is to clean up the URL,
> so the session never really shows up in the clients url window.
This makes things complicated. A more practical (but less secure)
idea is to let the app continue unobstructed, and rewrite the output
of the page that created the login. All the internal links on that
page will have the session ID in the URL and will be unsafe for all
users, but the moment the user actually does something this will be
gone.
--
() Yuval Kogman <nothingmuch at woobling.org> 0xEBD27418 perl hacker &
/\ kung foo master: /me climbs a brick wall with his fingers: neeyah!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20051109/d8c45728/attachment-0001.pgp
More information about the Catalyst
mailing list