Re: [squid-users] Re: Logging/Blocking URLs with question marks ?

From: Amos Jeffries <squid3@dont-contact.us>
Date: Fri, 21 Mar 2008 16:46:06 +1300

Matus UHLAR - fantomas wrote:
>>>>> so for example searches on google do not show the full URL.
>>> On 18.03.08 13:07, RW wrote:
>>>> I don't know much about 2.5 but in up-to-date versions, logging of query
>>>> urls is governed by "strip_query_terms". By default it's on to avoid
>>>> logging things like session IDs.
>>> it's called privacy :)
>
> On 20.03.08 00:52, Amos Jeffries wrote:
>> It's called philanthropy: protecting idiots against themselves at ones
>> own cost.
>>
>> No webmaster with any serious intentions of privacy publishes the
>> SESSION-IDs in visible URI. The sensible ones use session cookies,
>> nicely hidden from script-kiddies eyes, easily removed by
>> security-conscious users, and not getting in the way of smart users
>> direct-linking.
>
> there are more things in GET strings than just session ID's...

I know, I use query string a lot myself sometimes. But never for
critical data.
My comment was about the session IDs being in there or any other
'private' information.

Falls in a similar category as sending "user=bob&password=1234" in the
query-string. (Real example, from a 'secure payment' site no less :-( ).

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Thu Mar 20 2008 - 21:45:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT