PJ Posted February 28, 2003 Report Share Posted February 28, 2003 Hi All, Okay, one of my Software engineer friends figured this out ... if you wish to share a link to a specific Candle thread, please do not copy the URL when you are in POST mode, i.e. in the middle of posting to the thread. This will enable anyone with that link to POST responses to that thread under your ID. *sigh* that was an eye-opening and humbling experience when he told me. I never would have thought of it. P.J. Link to comment
floyd Posted February 28, 2003 Report Share Posted February 28, 2003 Hmm... well if the urls are that persistent to encode a login, given that http is used, that means anyone going through a logged proxy can be impersoniated by anyone with access to the proxy logs then?And since https is not used for the login, nor even digest security, there are lots of security holes I would bet. Link to comment
jasonzzzz Posted February 28, 2003 Report Share Posted February 28, 2003 PJ, I have not used php before, but it seems that you are using URL-rewrite to handle the session, i.e. the session id is a part of URL. If you could use cookie (or session cookie which is not persistent ) to handle session, do you think it would be more secure? Link to comment
floyd Posted February 28, 2003 Report Share Posted February 28, 2003 That and also invalidate a session key that is not from the same address, and after the next access from a user from a different address etc. Link to comment
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now