How To Dynamic Web Rendering?

[Nick Sabalausky]

"Adam D. Ruppe" <destructionator at gmail.com> wrote in message 
news:iqp7gu$7l6$1 at digitalmars.com...
>
> (BTW, PHP's automatic session handling *only* uses the session id.
> This leaves it open to trivial session hijacking. In web.d, the
> session functions automatically check IP address and user agent
> as well as cookies. It can still be hijacked in some places, but
> it's a little harder. To prevent hijacking in all situations,
> https is a required part of the solution, and the cgi library can't
> force that unilaterally. Well, maybe it could, but it'd suck.)
>

My understanding is that you CANNOT assume different requests in the same 
session from the same computer are coming from the same IP. Apperently there 
are a lot of networks, such as corporate networks and anonymizing networks, 
which will cause different requests from the same user to wind up coming 
from different IPs.

The *ONLY* reliable way to prevent session hijacking without breaking your 
site for many users is to force everything (and I mean EVERYTHING) through 
https from the time the session is created to the time the session is 
killed.

Yes, that does suck, but you'll certainly never see me claim that the web 
isn't the absolute worst, piece of shit excuse for an "applications 
platform" in history.

One of the reasons for this particular mess (besides the whole "shoving 
applications through a stateless protocol" bullshit) is idiotic limitations 
of cookies. More specifically, there isn't nearly enough you can do to 
restrict the URLs for which the browser will send a particular cookie.