Toomuchtime opened this issue on Jan 14, 2006 ยท 17 posts
svdl posted Sat, 14 January 2006 at 8:51 PM
A few parts of 'rosity still use SessionIDs in the URL. Which is bad practice - as we can see here.
You can recognise the presence of a sessionID by watching the URL: if it contains something like "&SessionID=xxxxx" it's there.
I haven't seen Bondware 3.0 in action yet, but if it is not totally crap, it will NOT use SessionIDs in the URLs. Those sessionIDs should be contained in encrypted hidden form fields, this is standard practice for over 5 years now.
Message edited on: 01/14/2006 20:51
The pen is mightier than the sword. But if you literally want to have some impact, use a typewriter