> > What is the difference (as far as security goes) between using a cookie and > a hidden field? Are hidden fields cached if we are using SSL? I think not. > >
None. Both are wide open. SSL simply encrypts the "pipe" between your server and the client (browser). Everything passing over it, including cookies and hidden fields, is encrypted, or not if SSL is not employed. I like the pipe analogy, think of everything that goes from the browser to the server (and since both cookies and hidden fields are client side until the client calls to the server) as traveling over a clear pipe. So if you can see into the pipe, then you can see everything. Then picture SSL as a wrapper around the pipe, it prevents you seeing *everything* traveling over the pipe, so then it is up to you to make sure the connections at either end work (aka browser supports SSL, server does too, and they have decided to use the covered pipe instead of the clear one). > > If I use a GUID as a session ID in my database and store the GUID in a > hidden field and the user sees the GUID in some GET parameters, is this of > any consequence? > Depends on what the GUID is made of. Did my other write up of the authentication idiom not help? work? or the modules suggested by the other poster? > > > Someone recommend that I don't persist cookies. How do I not persist > cookies? > They shouldn't persist by default, it is usually a question of "how do I make them persist", whic his covered very clearly here: http://search.cpan.org/~lds/CGI.pm-3.05/CGI.pm#HTTP_COOKIES http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
