Matus UHLAR - fantomas wrote:
so for example searches on google do not show the full URL.
On 18.03.08 13:07, RW wrote:
I don't know much about 2.5 but in up-to-date versions, logging of query
urls is governed by "strip_query_terms". By default it's on to avoid
logging things like session IDs.
it's called privacy :)
On 20.03.08 00:52, Amos Jeffries wrote:
It's called philanthropy: protecting idiots against themselves at ones
own cost.
No webmaster with any serious intentions of privacy publishes the
SESSION-IDs in visible URI. The sensible ones use session cookies,
nicely hidden from script-kiddies eyes, easily removed by
security-conscious users, and not getting in the way of smart users
direct-linking.
there are more things in GET strings than just session ID's...
I know, I use query string a lot myself sometimes. But never for
critical data.
My comment was about the session IDs being in there or any other
'private' information.
Falls in a similar category as sending "user=bob&password=1234" in the
query-string. (Real example, from a 'secure payment' site no less :-( ).
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
