28 Apr
2006
28 Apr
'06
3:41 a.m.
Michal Čihař schrieb:
On Thu, 27 Apr 2006 15:29:31 +0200 Sebastian Mendel lists@sebastianmendel.de wrote:
Michal Čihař schrieb:
On Thu, 27 Apr 2006 15:18:34 +0200 Sebastian Mendel lists@sebastianmendel.de wrote:
for security reasons we decided to not support url session ids
What's problem with that?
session fixation and hijacking?
Hmmm, what is better? This or XSRF or cookie requirement. Looks like we have to make choice.
whether url sid is allowed or not is set in session.inc.php possible we could add a $cfg to allow url sid - so it is the choice of the user if he allows sid via url or not
--
Sebastian Mendel
www.sebastianmendel.de