Hi Michael, On 12/3/05, Michael B Allen <mba2000@xxxxxxxxxx> wrote:> Why do sessions use cookies? 'cause HTTP is a "stateless" protocol ... checkWikiepedia on HTTP Cookies at http://en.wikipedia.org/wiki/HTTP_cookiesand RFC 2109 http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc2109.html such "statelessness" is the source of one of the major attack types inWeb applications: Session Hijacking... Chris has more to say herehttp://shiflett.org/articles/security-corner-aug2004 (hello Chris :) >Isn't a session just a container associated> with the user's socket No it's not, 'cause if so, the clien has to keep a socket open to theserver during the "whole" session... statelessness has design benefits... Regards,Ahmed
