Hi François,
If you log out of the forum, and then log in and click the "Don't use cookies" checkbox, you will see the redirect for URL's.
This is because without cookies, the URL to a post will be something like:
...../gforum.cgi?post=123456;session=a46f....(32 characters)
If you click directly on a URL, many browsers will send along the current URL in the HTTP_REFERER variable, which could allow someone to break into your account by linking to a CGI script that records the HTTP_REFERER. They would have to be fast, of course, as the session times out after an hour of inactivity, but it is still a security concern.
If you log in with cookies, the "session=..." part will not be in the URL, so it is not a security concern to be able to directly link to web pages when using cookies.
Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
If you log out of the forum, and then log in and click the "Don't use cookies" checkbox, you will see the redirect for URL's.
This is because without cookies, the URL to a post will be something like:
...../gforum.cgi?post=123456;session=a46f....(32 characters)
If you click directly on a URL, many browsers will send along the current URL in the HTTP_REFERER variable, which could allow someone to break into your account by linking to a CGI script that records the HTTP_REFERER. They would have to be fast, of course, as the session times out after an hour of inactivity, but it is still a security concern.
If you log in with cookies, the "session=..." part will not be in the URL, so it is not a security concern to be able to directly link to web pages when using cookies.
Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
