[mod_python] Announcement: Roadkill version 0.01 "Kitten"

Dustin Mitchell dustin at ywlcs.org
Sun Jun 8 12:39:17 EST 2003 

On Sun, Jun 08, 2003 at 11:24:33AM -0600, Gre7g Luterman wrote:
> > - - Permanent and temporary sessions. Every website uses cookies for
> > only one thing - sessions. We should have this built in by default.
> 
> Personally, I prefer to pass a variable SID around with each link and 
> form.  Yeah, it's not as convenient as a cookie, but at least you 
> don't have to worry about cookies being enabled.  Plus, it is 
> available on the first page load and it is compatible with CGI's I 
> wrote before getting into mod_python, where it was too tricky to 
> modify headers to set one.

And it's less secure.  If I hand someone a link like

  http://www.yoursite.com/SID=209354634

Then get them to log in (and thus initiate that session), then I can hijack
their session by using the same URL.  At least with cookies it's much harder
to get someone to install a cookie for a foreign site on their browser.

Be careful!

Dustin

-- 

  Dustin Mitchell
  dustin at ywlcs.org/djmitche at alumni.uchicago.edu
  http://people.cs.uchicago.edu/~dustin/

More information about the Mod_python mailing list