There are actually three distinct and unrelated(!) issues here:
- Persistence: This is actually the only thing that “sessions” do. By themselves, sessions know how to retrieve and store a vector of state-information, given a session-ID key, but do not validate the correctness of that key.
- Authentication: Determining, to your satisfaction, that the user actually is who he claims to be.
- Authorization: Given that you have determined that the user actually is who he claims to be, what can the user do?
Many web sites make the serious error of confusing “knowledge of a currently-valid (or even just properly formatted...) session-ID” with “being the properly-authenticated legitimate owner of that session-ID.” They also honor valid-looking GET-request URIs without first verifying that the claimed presenter of such a URI is in fact currently logged-in. It is painfully obvious that the owners and designers of such sites never stopped to “talk like a pirate... arrrrr!!!”
They never stopped to consider: “what if the person submitting an HTTP-request to my site was intentionally and willfully attempting to commit a felony?”
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|