[nycphp-talk] sessions and application security
Mitch Pirtle
mitchy at spacemonkeylabs.com
Tue Jan 27 13:04:32 EST 2004
charlie derr wrote:
> One thing that occurs to me (which certainly wasn't implied in the
> original question,
> so I'm asking about this as a totally separate issue that was just
> "jogged" into the
> forefront of my mind by this highly illuminative post) is the following:
>
> If the entire transaction (both authentication and all content served)
> was done via https,
> then it really wouldn't be a security problem to use this model you
> scoff at (session data
> in the url), right?
Nope, unfortunately your session data will be in the URL, which goes
over in cleartext (think about HTTP_REFERER and such).
-- Mitch
More information about the talk
mailing list