* Should we continue to support session in params?
@ 2010-10-03 17:03 James Tucker
2010-10-03 17:59 ` Yehuda Katz
0 siblings, 1 reply; 3+ messages in thread
From: James Tucker @ 2010-10-03 17:03 UTC (permalink / raw)
To: rack-devel
There's an option in the sessions infrastructure to support sessions via params. It's untested anywhere except in the memcache session specs. I'd like to remove it as it's nothing but an optional security hole. I can't imagine anyone using this for anything sane, but I'm checking here in case I'm wrong.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Should we continue to support session in params?
2010-10-03 17:03 Should we continue to support session in params? James Tucker
@ 2010-10-03 17:59 ` Yehuda Katz
2010-10-03 18:07 ` James Tucker
0 siblings, 1 reply; 3+ messages in thread
From: Yehuda Katz @ 2010-10-03 17:59 UTC (permalink / raw)
To: rack-devel
[-- Attachment #1: Type: text/plain, Size: 576 bytes --]
Unfortunately, this probably exists to support Flash file uploads, which
can't pass cookies due to an ancient, still unfixed API bug.
Yehuda Katz
Architect | Strobe
(ph) 718.877.1325
On Sun, Oct 3, 2010 at 10:03 AM, James Tucker <jftucker@gmail.com> wrote:
> There's an option in the sessions infrastructure to support sessions via
> params. It's untested anywhere except in the memcache session specs. I'd
> like to remove it as it's nothing but an optional security hole. I can't
> imagine anyone using this for anything sane, but I'm checking here in case
> I'm wrong.
[-- Attachment #2: Type: text/html, Size: 1000 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Should we continue to support session in params?
2010-10-03 17:59 ` Yehuda Katz
@ 2010-10-03 18:07 ` James Tucker
0 siblings, 0 replies; 3+ messages in thread
From: James Tucker @ 2010-10-03 18:07 UTC (permalink / raw)
To: rack-devel
[-- Attachment #1: Type: text/plain, Size: 706 bytes --]
Ah, good answer. That makes me sad bear, but fair enough.
On 3 Oct 2010, at 14:59, Yehuda Katz wrote:
> Unfortunately, this probably exists to support Flash file uploads, which can't pass cookies due to an ancient, still unfixed API bug.
>
> Yehuda Katz
> Architect | Strobe
> (ph) 718.877.1325
>
>
> On Sun, Oct 3, 2010 at 10:03 AM, James Tucker <jftucker@gmail.com> wrote:
> There's an option in the sessions infrastructure to support sessions via params. It's untested anywhere except in the memcache session specs. I'd like to remove it as it's nothing but an optional security hole. I can't imagine anyone using this for anything sane, but I'm checking here in case I'm wrong.
>
[-- Attachment #2: Type: text/html, Size: 1326 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-10-03 18:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-03 17:03 Should we continue to support session in params? James Tucker
2010-10-03 17:59 ` Yehuda Katz
2010-10-03 18:07 ` James Tucker
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).