Re: "tinyurl" url masking

[Lincoln Yeoh <lyeoh () pop jaring my>]

> Which shows that Gmail (which I use to write this email) is badly
> designed, logout should be used via a POST only...

Well I prefer to use url/form "signing" for certain actions in some of my 
webapps.

Fake example:
http://somewhere.null/webapp?do=transfer&src=1234&dst=5678&amt=5551&sig=ac36d415b9fc2ffb68171185ef2bd7da

Where sig could be a crypto hash of: the parameters, the session cookie/id 
value (making replay harder) and a site secret. You could even add a salt 
if you want, or do more sophisticated stuff.

Of course, for high impact actions, you'd get a confirmation page - 
clicking yes submits the necessary confirmation keys/signatures to match 
some of the parameters sent.

In Gmail's defense, not protecting logout isn't so bad (you might disagree 
if you just composed a long message and haven't saved or sent it and 
somehow got logged out ;) ).

> I think that it would be easier to fix the issue in the browser, to
> have browsers not use cookies over a redirect? (thinking only at
> session related scenarios)

That would break a fair number of things, or make things fairly 
inconvenient. HTTP 302 redirects are a very common tool for webapps.

Many sites have the target page of a login form redirect to a subsequent 
page. This is to prevent a browser refresh from rePOSTing the credentials. 
Otherwise if you don't close the browser (yes I know ;) ), someone could 
click the browser back button till the page just after the login form, 
click refresh, and the browser will repost the login form values.

Regards,
Link.