On Tue, Aug 07, 2012 at 02:01:11PM +0200, Tomas Hrcka wrote:
On Mon, 2012-08-06 at 10:45 -0400, Matt Wagner wrote:
> I wonder if it would be lunacy to set a custom HTTP header, which looks
> to be possible through Backbone. Something along the lines of
> X-Is-Backbone or whatnot. This might be easier than trying to globally
> alter URLs, and it's a valid use of headers. Does this sound like lunacy
> to you guys?
In a way isn't ^ the same as modifying URL? I mean the code
creating/modifying the header will be on client side...
It is pretty similar from that point. I was just recommending it because
it seemed like it might be easier to implement. (But I could be wrong,
too.)
I think that indicating a request should _not_ keep your session active
is okay. I don't see anything an attacker could do with that. Though I
should note that I'm really just going by what seems to make sense to
me, versus any sort of expert security background.
-- Matt