W3C home > Mailing lists > Public > www-html@w3.org > November 2001

Re: Is it OK to require per-session cookies?

From: Thomas Hurst <tom.hurst@clara.net>
Date: Tue, 27 Nov 2001 19:40:10 +0000
To: www-html@w3.org
Message-ID: <20011127194010.GA59748@sploo.aagh.net>
* Jens Müller (jens@unfaehig.de) wrote:

> Thomas Hurst <tom.hurst@clara.net> writes:
> 
> > Hence, how Amazon always asks for a password before you do anything.  IP
> > tracking and restrictive login timeouts should take care of forms.
> 
> IP tracking over proxies with multiple output IPs?

Check for an X-Forwarded-For:, if not, check for a Via: and if it's
there disable the IP check, or just check for the same class C network.

> Restrictive login timeouts? How short should they be then? 10 seconds?

However long you feel's acceptable for someone to fill out a form or two.

Personally I'd make sure each URI is one time only - allocate a unique
id for each page and remove it once it's been accessed - that way
anything that appears in a referer header can't be used again.

-- 
Thomas 'Freaky' Hurst  -  freaky@aagh.net  -  http://www.aagh.net/
Received on Tuesday, 27 November 2001 14:40:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:49 GMT