Hi Michael, On 12/3/05, Michael B Allen <[EMAIL PROTECTED]> wrote: > Why do sessions use cookies?
'cause HTTP is a "stateless" protocol ... check Wikiepedia on HTTP Cookies at http://en.wikipedia.org/wiki/HTTP_cookies and RFC 2109 http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc2109.html such "statelessness" is the source of one of the major attack types in Web applications: Session Hijacking... Chris has more to say here http://shiflett.org/articles/security-corner-aug2004 (hello Chris :) >Isn't a session just a container associated > with the user's socket No it's not, 'cause if so, the clien has to keep a socket open to the server during the "whole" session... statelessness has design benefits ... Regards, Ahmed
