> > > If we have (persistent) result set names, do we still need session ids?
> > Yes. Otherwise you could subvert other users' result sets as you don't
> > know who created it.
> By "subvert" I assume you're referring to spoofing? (That is, I assume we're
> not concerned about ambiguity, since the server is assigning names.) How does
> the session id help with that problem?
As I understand it, you should refuse requests on resultsets where the
session id is different from the one that created the result set.
So, session A creates a resultset called 'rs1'. Session B, a rogue SOAP
DDOS attack, sends repeated delete resultset messages. Without the
session id to distinguish A from B, if B sent delete 'rs1' then the server
would have to do it.
Welcome to the wonderful world of stateless connections :/
Rob
--
,'/:. Rob Sanderson ([log in to unmask])
,'-/::::. http://www.o-r-g.org/~azaroth/
,'--/::(@)::. Special Collections and Archives, extension 3142
,'---/::::::::::. Twin Cathedrals: telnet: liverpool.o-r-g.org 7777
____/:::::::::::::. WWW: http://liverpool.o-r-g.org:8000/
I L L U M I N A T I
