mark at rawcane.net
Thu Feb 7 03:57:46 EST 2008
> Mark Fuller said:
>> I thought the problem with putting the session ID in the URL is that
>> the user might copy/paste the URL to others. When they try to use it,
>> the app would have no way to know it's not the real user?
> Another problem is bookmarks. A user may bookmark a page, but when they
> come back a couple of days later, the session has expired. They might also
> email a link to others, and that link may not work for the same reason.
I think for my purposes having a 5 minute expiry time is sufficient to
preventing this kind of problem. If the session has expired it will renew
the session data. I am only using sessions to avoid having to do remote
calls for every request. I could also use the IP security feature and UA
matching to lock it down further but is not critical.
More information about the cgiapp