On May 10, 2007, at 11:40 AM, Richard Davey wrote:
ccspencer@xxxxxxxxxxxx wrote:
That being the case I can never find out (using the built-in
sessions) until the second page request and it will always
include the session cookie in the URL. Which means the value
of the seesion cookie will be exposed, even if I am using SSL.
:( Back to the drawing board...
While using TRANS IDs are ugly, they will show no more or less
information to the user than a session cookie contains. Most
browsers have built-in support for viewing cookie contents these
days. Doing so will show your PHP Session ID clearly. Trans IDs are
no different, just more 'obvious' being in the URL and all. The
actual data displayed is the same however.
And the session id is open to being stored in a bookmark or worse,
sent to someone else through a cut and paste of the URL.
Depending on what information that id controls and how long the
sessions are kept around id's in the URL could be a very bad thing
indeed.
Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
