Loading ...
Sorry, an error occurred while loading the content.
 

Re: Random thought about ParanoidSession

Expand Messages
  • Joshua Chamas
    ... You are right. This implementation was necessitated before by the ASP session implementation stating that a session had to be created if did not already
    Message 1 of 2 , Dec 17, 2001
      Philip Mak wrote:
      >
      > I think that it may actually be harmful to power users in some cases if
      > you "PerlSetVar ParanoidSession 1". If the session key is stored in as a
      > URL string, and someone has two different kinds of web browsers open and
      > legitimately copies and pastes the URL from one web browser to another
      > (because your glitzy DHTML site won't work in Opera or something),
      > ParanoidSession will break it.
      >

      You are right. This implementation was necessitated before by the
      ASP session implementation stating that a session had to be created
      if did not already exist for the incoming session id...

      ... but I change the Apache::ASP session implementation a while ago
      to create a new session id when an invalid one is incoming.
      I could use this approach here to fix the behavior you describe.
      The security effect would be the same for a hacker trying to
      guess session ids.

      I'll put this on my TODO.

      --Josh

      _________________________________________________________________
      Joshua Chamas Chamas Enterprises Inc.
      NodeWorks Founder Huntington Beach, CA USA
      http://www.nodeworks.com 1-714-625-4051

      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    Your message has been successfully submitted and would be delivered to recipients shortly.