HTTP state management without cookies?
Michael Ströder
michael at stroeder.com
Wed Feb 20 12:32:20 EST 2002
"André Risnes" wrote:
>
> "Simon Willison" <cs1spw at bath.ac.uk> wrote in message
> news:3C7368A0.5050702 at bath.ac.uk...
> >
> > It's pretty important to provide some kind of checking mechanism like
> > that to avoid people copying/pasting the URL of the page they are on
> > into an e-mail / instant message and inadvertantly giving their session
> > to someone else.
>
> That can be avoided by embedding the session ID in a hidden
> field in a form instead of the URL (if forms are used, that is).
A hidden field is not really hidden Especially it's part
of the URL if <form method=GET> is used.
Ciao, Michael.
More information about the Python-list
mailing list