• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Hiding session id in the URL
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hiding session id in the URL


  • Subject: Re: Hiding session id in the URL
  • From: Gino Pacitti <email@hidden>
  • Date: Tue, 7 Mar 2006 21:05:30 +0000

Wouldnt a https session handle this though?

Gino
On 7 Mar 2006, at 21:02, Chuck Hill wrote:

And most every browser has a way to display them.

On Mar 7, 2006, at 12:57 PM, Randy Wigginton wrote:

Not true. Cookies for secure sites, as long as they are session only, are
supposed to be stored in memory.


-----Original Message-----
From: webobjects-dev-bounces+cawineguy=email@hidden
[mailto:webobjects-dev-bounces +cawineguy=email@hidden] On
Behalf Of Chuck Hill
Sent: Tuesday, March 07, 2006 3:55 PM
To: webobjects-dev
Subject: Re: Hiding session id in the URL


Of course, if they can copy the URL, they can also look at the
cookies and copy them.  You can add a separate cookie of your own and
cross validate them, but that only makes it harder.  Or, if it is
available, you can keep the user's IP in their session and check that
the IP of each new request matches it.  But, at some point, all of
this can be spoofed.

Chuck

On Mar 7, 2006, at 12:49 PM, Sacha Michel Mallais wrote:

On Mar 7, 2006, at 12:35 PM, Tanmoy Roy wrote:

I have an application which does quite a lot of form submissions. My
application is a secured application and if the Session id is exposed
then any user can copy the URL and paste the same in his/her browser
then he/she will be able to view the same page as that of the other
user. This has to be protected so that whenever he/she does that
he/she will be presented with a new login page.

You can tell WO to use cookies to store the session IDs. Check out WOSession.setStoresIDsInCookies().


sacha


-- Sacha Michel Mallais Senior Developer / President Global Village Consulting Inc. http://www.global-village.net/ PGP Key ID: 7D757B65 AIM: smallais


_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: 40global-village.net

This email sent to email@hidden

-- Coming in 2006 - an introduction to web applications using WebObjects and Xcode http://www.global-village.net/wointro

Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems. http://www.global-village.net/products/ practical_webobjects





_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40gmail.com


This email sent to email@hidden


--
Coming in 2006 - an introduction to web applications using WebObjects and Xcode http://www.global-village.net/wointro


Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/ practical_webobjects




_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40mac.com


This email sent to email@hidden

_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
  • Follow-Ups:
    • Re: Hiding session id in the URL
      • From: Arturo PĂ©rez <email@hidden>
References: 
 >RE: Hiding session id in the URL (From: "Randy Wigginton" <email@hidden>)
 >Re: Hiding session id in the URL (From: Chuck Hill <email@hidden>)

  • Prev by Date: Re: Hiding session id in the URL
  • Next by Date: Expanding Import
  • Previous by thread: Re: Hiding session id in the URL
  • Next by thread: Re: Hiding session id in the URL
  • Index(es):
    • Date
    • Thread