JavaScript considered harmful (was Re: New online index to Beazley's tutorials)
Michael Ströder
michael at stroeder.com
Tue Jan 8 10:33:13 EST 2002
Aahz Maruch wrote:
>
> Too many sites misuse cookies, so lots of people
> turn cookies off.
Me too. :-)
> but cookies for sessions IDs is absurd.
Why? It's generally harder to hijack cookie-based session IDs than
URL-based session IDs (think of Referer-URLs sent by browsers and
tricking web browser via Javascript, cross-site scripting attacks
etc.).
But I don't use cookies since I have cookies turned off. Instead I'm
trying to prevent session hijacking with checking CGI-BIN vars
assumed to be constant throughout the whole session. Check out my
module pyweblib.session used in e.g. web2ldap (see
http://www.stroeder.com/pylib/PyWebLib/). Also all external links in
web2ldap are redirected by an internal URL redirector sending a new
HTML page to prevent the browser from sending a referer URL.
Ciao, Michael.
More information about the Python-list
mailing list