|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sverre H. Huseby (shh_at_thathost.com)
Date: Fri Aug 23 2002 - 02:34:53 CDT
For your information: I just noticed that my PHP based services
include session-ids in URLs if cookies are disabled. Earlier versions
of PHP didn't do this unless PHP was configured with the
--enable-trans-sid directive, but it seems that the behavior has been
made the default in recent versions.
If you, like me, don't like secrets in URLs, you should probably make
sure your php.ini contains:
session.use_trans_sid = 0
Section 15.1.3 of RFC 2616 (the HTTP 1.1 spec) advices against using
GET for sensitive data.
Sverre.
-- shhthathost.com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]