Sverre H. Huseby wrote: > There are, of course, no reason to add a ticket to off-site links. > The tickets are only understandable by our web application. > > Tickets should only be tied to actions that have side effects on our > server (for which GET may be Wrong Thing anyway). If this principle > is followed, I can't see how anyone would be able to pick up Referers > containing tickets without having access to our server. Please > enlighten me if I've misunderstood anything here. If the your page for some reasons references an external object (page, image or whatever) then this external object will get the refeferer header indicating the full URL of your page. If this URL (the URL of your page) includes the users ticket then the ticket is exposed to that external object. From this simple reason, my the guideline is to never include tickets in URL's. Always pass them around using (hidden) form fields sent via POST. -- Henrik Nordstrom Squid HTTP proxy developer
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 13:55:15 PDT