Re: Problem while using cookieless session
From: Cactus Corp. (nXewsXalaXksaX_at_nXxtg.XnetX)
Date: 08/16/05
- Next message: Paul Clement: "Re: Creating files in a unc shared drive."
- Previous message: Alex: "Re: Creating files in a unc shared drive."
- In reply to: Priya: "Problem while using cookieless session"
- Next in thread: Priya: "Re: Problem while using cookieless session"
- Reply: Priya: "Re: Problem while using cookieless session"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Aug 2005 17:03:20 +0200
> We are facing problems while using cookieless session. When the user copies
> and pastes the url from one machine to another, he is able to access the data
> entered by the first user. Is there any way to eliminate this problem.
>
> Thanks in advance.
Hello ,
The session identifier is used to identify which session the visitor is linked to.
As it sounds....
Consequently , if someone does a copy/paste of one of your cookie-less
URLs, he gets access to your session.
The role of the SESSIONID is to establish the link : this is an identification
process. What you're looking for is an authentication process : after identifying
which session is requested, you want the application to make sure nobody is
usurpating an identity.
You need to add a few checks to make sure of this. There are many discussions
about that , the term used by many security professionals is "session hijacking".
For example :
- adding secure tokens to your urls
- IP address to session-id link
- challenged URLs
- ...and so on...
Good luck!
Antonio
- Next message: Paul Clement: "Re: Creating files in a unc shared drive."
- Previous message: Alex: "Re: Creating files in a unc shared drive."
- In reply to: Priya: "Problem while using cookieless session"
- Next in thread: Priya: "Re: Problem while using cookieless session"
- Reply: Priya: "Re: Problem while using cookieless session"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
