Re: Hiding session id in the URL
Re: Hiding session id in the URL
- Subject: Re: Hiding session id in the URL
- From: Gino Pacitti <email@hidden>
- Date: Tue, 7 Mar 2006 21:05:30 +0000
Wouldnt a https session handle this though?
Gino
On 7 Mar 2006, at 21:02, Chuck Hill wrote:
And most every browser has a way to display them.
On Mar 7, 2006, at 12:57 PM, Randy Wigginton wrote:
Not true. Cookies for secure sites, as long as they are session
only, are
supposed to be stored in memory.
-----Original Message-----
From: webobjects-dev-bounces+cawineguy=email@hidden
[mailto:webobjects-dev-bounces
+cawineguy=email@hidden] On
Behalf Of Chuck Hill
Sent: Tuesday, March 07, 2006 3:55 PM
To: webobjects-dev
Subject: Re: Hiding session id in the URL
Of course, if they can copy the URL, they can also look at the
cookies and copy them. You can add a separate cookie of your own and
cross validate them, but that only makes it harder. Or, if it is
available, you can keep the user's IP in their session and check that
the IP of each new request matches it. But, at some point, all of
this can be spoofed.
Chuck
On Mar 7, 2006, at 12:49 PM, Sacha Michel Mallais wrote:
On Mar 7, 2006, at 12:35 PM, Tanmoy Roy wrote:
I have an application which does quite a lot of form
submissions. My
application is a secured application and if the Session id is
exposed
then any user can copy the URL and paste the same in his/her
browser
then he/she will be able to view the same page as that of the other
user. This has to be protected so that whenever he/she does that
he/she will be presented with a new login page.
You can tell WO to use cookies to store the session IDs. Check out
WOSession.setStoresIDsInCookies().
sacha
--
Sacha Michel Mallais Senior Developer / President
Global Village Consulting Inc. http://www.global-village.net/
PGP Key ID: 7D757B65 AIM: smallais
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40global-village.net
This email sent to email@hidden
--
Coming in 2006 - an introduction to web applications using WebObjects
and Xcode http://www.global-village.net/wointro
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems. http://www.global-village.net/products/
practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40gmail.com
This email sent to email@hidden
--
Coming in 2006 - an introduction to web applications using
WebObjects and Xcode http://www.global-village.net/wointro
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems. http://www.global-village.net/products/
practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40mac.com
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden