Loading ...
Sorry, an error occurred while loading the content.
 

Random thought about ParanoidSession

Expand Messages
  • Philip Mak
    I think that it may actually be harmful to power users in some cases if you PerlSetVar ParanoidSession 1 . If the session key is stored in as a URL string,
    Message 1 of 2 , Dec 16, 2001
      I think that it may actually be harmful to power users in some cases if
      you "PerlSetVar ParanoidSession 1". If the session key is stored in as a
      URL string, and someone has two different kinds of web browsers open and
      legitimately copies and pastes the URL from one web browser to another
      (because your glitzy DHTML site won't work in Opera or something),
      ParanoidSession will break it.


      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    • Joshua Chamas
      ... You are right. This implementation was necessitated before by the ASP session implementation stating that a session had to be created if did not already
      Message 2 of 2 , Dec 17, 2001
        Philip Mak wrote:
        >
        > I think that it may actually be harmful to power users in some cases if
        > you "PerlSetVar ParanoidSession 1". If the session key is stored in as a
        > URL string, and someone has two different kinds of web browsers open and
        > legitimately copies and pastes the URL from one web browser to another
        > (because your glitzy DHTML site won't work in Opera or something),
        > ParanoidSession will break it.
        >

        You are right. This implementation was necessitated before by the
        ASP session implementation stating that a session had to be created
        if did not already exist for the incoming session id...

        ... but I change the Apache::ASP session implementation a while ago
        to create a new session id when an invalid one is incoming.
        I could use this approach here to fix the behavior you describe.
        The security effect would be the same for a hacker trying to
        guess session ids.

        I'll put this on my TODO.

        --Josh

        _________________________________________________________________
        Joshua Chamas Chamas Enterprises Inc.
        NodeWorks Founder Huntington Beach, CA USA
        http://www.nodeworks.com 1-714-625-4051

        ---------------------------------------------------------------------
        To unsubscribe, e-mail: asp-unsubscribe@...
        For additional commands, e-mail: asp-help@...
      Your message has been successfully submitted and would be delivered to recipients shortly.