[ic] CookieName directive fails

Kevin Walsh kevin at cursor.biz
Fri Aug 12 07:52:55 EDT 2005


Mike Heins [mike at perusion.com] wrote:
> Quoting Kevin Walsh (kevin at cursor.biz):
> > Do you mean the session ID itself?  I thought that was just randomly
> > generated with Vend::Util::random_string(), using the $random_chars
> > value ([A-Za-z0-9] minus [O01l]).  That would be captured by the
> > existing default (\w{8,32}) pattern.  The current CookiePattern
> > directive allows other patterns to be matched, but that doesn't affect
> > the Session ID generation.  The only reason to use CookiePattern at
> > the moment, as far as I can see, is because it's required when using
> > the CookieName directive.
> >
> Yes. And because the whole idea of CookieName is that you can
> accept a cookie from some other program -- i.e. not generated
> by IC.
> 
Ah - there we go.  I overlooked the fact that an external program could
set the session ID value.  Well, unless that value is already in use
by the Interchange-driven website, in which case a new one would be
generated.  Having non-word characters in the ID would almost guarantee
that it would not be already in use by IC.  This obviously needs more
thought.

-- 
   _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
  _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l s h
 _/ _/    _/          _/ _/     _/    _/  _/_/    kevin at cursor.biz
_/   _/  _/_/_/_/      _/    _/_/_/  _/    _/



More information about the interchange-users mailing list