Mike Heins suppressed wrote:
> Quoting Kevin Walsh (suppressed):
> > Do you mean the session ID itself? I thought that was just randomly
> > generated with Vend::Util::random_string(), using the $random_chars
> > value ([A-Za-z0-9] minus [O01l]). That would be captured by the
> > existing default (\w{8,32}) pattern. The current CookiePattern
> > directive allows other patterns to be matched, but that doesn't affect
> > the Session ID generation. The only reason to use CookiePattern at
> > the moment, as far as I can see, is because it's required when using
> > the CookieName directive.
> >
> Yes. And because the whole idea of CookieName is that you can
> accept a cookie from some other program -- i.e. not generated
> by IC.
>
Ah - there we go. I overlooked the fact that an external program could
set the session ID value. Well, unless that value is already in use
by the Interchange-driven website, in which case a new one would be
generated. Having non-word characters in the ID would almost guarantee
that it would not be already in use by IC. This obviously needs more
thought.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ suppressed
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/
_______________________________________________
interchange-users mailing list
suppressed
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.