rack-devel archive mirror (unofficial) https://groups.google.com/group/rack-devel
 help / color / mirror / code / Atom feed
* Should we continue to support session in params?
@ 2010-10-03 17:03 James Tucker
  2010-10-03 17:59 ` Yehuda Katz
  0 siblings, 1 reply; 3+ messages in thread
From: James Tucker @ 2010-10-03 17:03 UTC (permalink / raw)
  To: rack-devel

There's an option in the sessions infrastructure to support sessions via params. It's untested anywhere except in the memcache session specs. I'd like to remove it as it's nothing but an optional security hole. I can't imagine anyone using this for anything sane, but I'm checking here in case I'm wrong.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Should we continue to support session in params?
  2010-10-03 17:03 Should we continue to support session in params? James Tucker
@ 2010-10-03 17:59 ` Yehuda Katz
  2010-10-03 18:07   ` James Tucker
  0 siblings, 1 reply; 3+ messages in thread
From: Yehuda Katz @ 2010-10-03 17:59 UTC (permalink / raw)
  To: rack-devel

[-- Attachment #1: Type: text/plain, Size: 576 bytes --]

Unfortunately, this probably exists to support Flash file uploads, which
can't pass cookies due to an ancient, still unfixed API bug.

Yehuda Katz
Architect | Strobe
(ph) 718.877.1325


On Sun, Oct 3, 2010 at 10:03 AM, James Tucker <jftucker@gmail.com> wrote:

> There's an option in the sessions infrastructure to support sessions via
> params. It's untested anywhere except in the memcache session specs. I'd
> like to remove it as it's nothing but an optional security hole. I can't
> imagine anyone using this for anything sane, but I'm checking here in case
> I'm wrong.

[-- Attachment #2: Type: text/html, Size: 1000 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Should we continue to support session in params?
  2010-10-03 17:59 ` Yehuda Katz
@ 2010-10-03 18:07   ` James Tucker
  0 siblings, 0 replies; 3+ messages in thread
From: James Tucker @ 2010-10-03 18:07 UTC (permalink / raw)
  To: rack-devel

[-- Attachment #1: Type: text/plain, Size: 706 bytes --]

Ah, good answer. That makes me sad bear, but fair enough.

On 3 Oct 2010, at 14:59, Yehuda Katz wrote:

> Unfortunately, this probably exists to support Flash file uploads, which can't pass cookies due to an ancient, still unfixed API bug.
> 
> Yehuda Katz
> Architect | Strobe
> (ph) 718.877.1325
> 
> 
> On Sun, Oct 3, 2010 at 10:03 AM, James Tucker <jftucker@gmail.com> wrote:
> There's an option in the sessions infrastructure to support sessions via params. It's untested anywhere except in the memcache session specs. I'd like to remove it as it's nothing but an optional security hole. I can't imagine anyone using this for anything sane, but I'm checking here in case I'm wrong.
> 


[-- Attachment #2: Type: text/html, Size: 1326 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-10-03 18:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-03 17:03 Should we continue to support session in params? James Tucker
2010-10-03 17:59 ` Yehuda Katz
2010-10-03 18:07   ` James Tucker

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/rack.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).