Is blocking cookies a treat?

[Lucas Malor]

I started to do some little programming usign PHP. (I don't like it, I prefer Python, but it's the most used, so...)

Using sessions I understood that if session id is not stored in cookies, it must be propagated with POST (or GET...). I noticed that some sites uses automatically GET if they can't set cookies. I think that it's much more secure to allow non-third party cookies by default instead of having this. For example, if I remember well, phpBB by default sends the session id using GET, but this board removed that "feature".

You can see if the site is using GET checking the URL (even if I don't check the URL every time I login to a site...), but it's hard to understand if the site is using POST (I think you can see it refreshing a site page while you're logged in, but memory plays a role here as for checking URL for GET).

What do you think about?

[Thrawn]

You might have noticed that this site is not encrypted. When you log in, your password is sent in cleartext. You should not reuse a password that you use for any other purpose.

Given that, there isn't really much point in distinguishing between cookie-based and URL-based session IDs .

[Lucas Malor]

Well, Wikipedia says POST and GET should be avoided to propagate SID:
http://en.wikipedia.org/wiki/Session_fixation
I must say I'm a total newbie so I don't know very much about sessions and how to avoid multiple logins, for example.

PS: if someone wants to waste his time to stole my password for this forum, I suggest him to find a more exciting hobby... like curling

[Thrawn]

Well, the one who would know the most about the security measures on this forum is Giorgio. But I know he has taken steps to harden phpBB.