<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6249.1">
<TITLE>sessions vars question</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Hello,<BR>
<BR>
it is very fun to work with server sessions in albatross.<BR>
for example I have session variable 'name'<BR>
I create local contex variable ctx.locals.name = 'username'<BR>
Add it to session ctx.add_session_vars('name').<BR>
<BR>
And after it I felt myself relaxed about value stored in session 'name' variable.<BR>
<BR>
So I need this session variable value from time to time. I'm using RandomModularSessionAppication.<BR>
In my code I have method:<BR>
def process_request(ctx):<BR>
.....<BR>
.....<BR>
user.name = ctx.locals.name #(I dont sure that this is correct way how to get session variable value)<BR>
....<BR>
....<BR>
<BR>
And actually this works. BUT if I add to browser request string something like<BR>
<A HREF="http://host/mypage?name='qqqqqqq'">http://host/mypage?name='qqqqqqq'</A><BR>
<BR>
I have in my code that user name not 'username' any more, but 'qqqqqqq'.<BR>
<BR>
So I cannot belive that it could be so "secure" have server side session vars.<BR>
It's same to store session vars in input hidden fields in browser.<BR>
<BR>
What's wrong with it?</FONT>
</P>
</BODY>
</HTML>