[ic] CookieName directive fails
Kevin Walsh
kevin at cursor.biz
Fri Aug 12 07:52:55 EDT 2005
Mike Heins [mike at perusion.com] wrote:
> Quoting Kevin Walsh (kevin at cursor.biz):
> > Do you mean the session ID itself? I thought that was just randomly
> > generated with Vend::Util::random_string(), using the $random_chars
> > value ([A-Za-z0-9] minus [O01l]). That would be captured by the
> > existing default (\w{8,32}) pattern. The current CookiePattern
> > directive allows other patterns to be matched, but that doesn't affect
> > the Session ID generation. The only reason to use CookiePattern at
> > the moment, as far as I can see, is because it's required when using
> > the CookieName directive.
> >
> Yes. And because the whole idea of CookieName is that you can
> accept a cookie from some other program -- i.e. not generated
> by IC.
>
Ah - there we go. I overlooked the fact that an external program could
set the session ID value. Well, unless that value is already in use
by the Interchange-driven website, in which case a new one would be
generated. Having non-word characters in the ID would almost guarantee
that it would not be already in use by IC. This obviously needs more
thought.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin at cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/
More information about the interchange-users
mailing list