On Tue, Sep 02, 2003 at 04:32:30PM +0900, Volker Grabsch wrote: > Volker Grabsch wrote: > > There are some simple standard problems which crowd my brain :-) > > ... MMh, and no answer yet. > > Isn't there anyone dealing with this kind of issues? > Have you ever tried it? Makeing a hidden form field form a session is not so complicated: puts "<input type=\"hidden\" name=\"id\" value=\"#{@session.session_id}\">" and earlier init the session with something like: puts cgi.header("text/html") @session = CGI::Session.new({"session_key" => "id"}) works like a charm. To disable the cookie I put the cgi.header call befor the CGI::Session.new call. I'm not sure if there is a better sollution to this (I started working with ruby just a few days ago.) > > So my thoughts about these issues. Does anyone know in what way > > they are implemented or why they better shouldn't? > > Well, I should ask this in another way :-) > > > Did anyone actually *implement* this kind of session security? > > .... or ... > > Did anyone consider that, but didn't do so for good reasons? > Remember sessions can be hijacked so it is uesful to store some additional info in the session file (like the IP address of the client and a session timeout). This does not matter if it is a cookie or a get/post field. IMHO storing sensitive data in a cookie is a bad idea. -- :wq Claudio