On Tue, November 8, 2005 7:32 pm, Ben Ramsey wrote: > I think the approach here will need to err on the site of caution. You > don't want to pass the session identifier through the URL (or POST) > too > much because it risks exposure and the possibility for session > hijacking, though it should be possible to do this and grab the > session > information for the session id from the directory where sessions are > stored (often times this is in /tmp). I would advise against this for > reasons I've already mentioned. Call me crazy, but the session_id is already going in/out through Cookie headers. So, really, it's not THAT much less secure for it to go in POST, and only nominally less secure to go in GET, is it?... I guess some kind of cross-site scripting hack might read HTML but not Cookies, though, really, you'd think most XSS hacks would focus on cookies at least as much as HTML source... There is some argument in favor of not sending/getting the session_id back and forth AS MUCH just to give it a more fleeting existence on the wire for snoopers, but the difference between COOKIE/POST/GET data integrity/security from snooping seems negligible to this naive user. Maybe this is just a knee-jerk reaction to all the mis-information about POST being "more secure" than GET that floats all over the 'net. :-) [Hi Ben!] -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
