• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
RE: Hiding session id in the URL
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Hiding session id in the URL


  • Subject: RE: Hiding session id in the URL
  • From: "Randy Wigginton" <email@hidden>
  • Date: Tue, 7 Mar 2006 15:57:21 -0500

Not true.  Cookies for secure sites, as long as they are session only, are
supposed to be stored in memory.

-----Original Message-----
From: webobjects-dev-bounces+cawineguy=email@hidden
[mailto:webobjects-dev-bounces+cawineguy=email@hidden] On
Behalf Of Chuck Hill
Sent: Tuesday, March 07, 2006 3:55 PM
To: webobjects-dev
Subject: Re: Hiding session id in the URL

Of course, if they can copy the URL, they can also look at the
cookies and copy them.  You can add a separate cookie of your own and
cross validate them, but that only makes it harder.  Or, if it is
available, you can keep the user's IP in their session and check that
the IP of each new request matches it.  But, at some point, all of
this can be spoofed.

Chuck

On Mar 7, 2006, at 12:49 PM, Sacha Michel Mallais wrote:

> On Mar 7, 2006, at 12:35 PM, Tanmoy Roy wrote:
>
>> I have an application which does quite a lot of form submissions. My
>> application is a secured application and if the Session id is exposed
>> then any user can copy the URL and paste the same in his/her browser
>> then he/she will be able to view the same page as that of the other
>> user. This has to be protected so that whenever he/she does that
>> he/she will be presented with a new login page.
>
> You can tell WO to use cookies to store the session IDs.  Check out
> WOSession.setStoresIDsInCookies().
>
>
> sacha
>
>
> --
> Sacha Michel Mallais             Senior Developer / President
> Global Village Consulting Inc.   http://www.global-village.net/
> PGP Key ID: 7D757B65             AIM: smallais
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> 40global-village.net
>
> This email sent to email@hidden

--
Coming in 2006 - an introduction to web applications using WebObjects
and Xcode     http://www.global-village.net/wointro

Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems.    http://www.global-village.net/products/practical_webobjects




 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

  • Follow-Ups:
    • Re: Hiding session id in the URL
      • From: Chuck Hill <email@hidden>
References: 
 >Re: Hiding session id in the URL (From: Chuck Hill <email@hidden>)

  • Prev by Date: Re: Hiding session id in the URL
  • Next by Date: Re: Hiding session id in the URL
  • Previous by thread: Re: Hiding session id in the URL
  • Next by thread: Re: Hiding session id in the URL
  • Index(es):
    • Date
    • Thread