Dennis Lee Bieber <[EMAIL PROTECTED]> writes: > Yes... And watch them flounder on sites that use cookies /for/ a > form of security (ie, those sites that require logins...) Cookies can be > set to expire, so the "session" can time-out... whereas...
Sites should never rely on cookies timing out. If there's any security concern about session persistence and you don't want to track the session timeout on the server, then encode an expiration time into the cookie itself, and cryptographically authenticate the cookie. > > I tried to add hidden field with a sessionID in every python CGI script > > generated web pages, so everytime my client POST a request, the server The trouble here is that it stops internal links (retrieved with GET rather than POST) from working. So normally what you're describing is done with session ID's in the url (see amazon.com for example). That, too, isn't so great for security, especially for ecommerce sites, since people tend to share url's with their friends. E.g., they'll post to Usenet or web bbs's, So-and-so is offering a great deal on Python manuals, the url is <http://whatever...> where "whatever" includes the session ID. Anyone clicking the url then ends up with the same shopping cart as the person who posted it. To OP: keep in mind also that anyone who disables cookies probably also disables javascript, so relying on javascript as you described for redirection doesn't work too well either. -- http://mail.python.org/mailman/listinfo/python-list
