how to prevent users from sharing their cookieless session id?
- From: Liam <Liam@xxxxxxxx>
- Date: Fri, 10 Mar 2006 11:49:48 -0500
We are using cookieless sessions, and so the URL shows the session id, e.g. http://ourdomain.com(ixbradnm5qmdfwikrt1mcfi3)/somepage.aspx.
When a user comes to our main page, they have to provide a username and password. We authenticate the username and password against our database, and if they match, we let the user in the door, so to speak, by assigning session variables with a new visitid, and a unique visitorid, and then redirecting the user to our internal pages.
We want each user's session to be unique to the user.
How can we stop the practice where a user, who has made it through the door, pastes an inner page's URL into an email message and sends it to his or her colleagues (when they find something they'd like to share, for example)? If the session hasn't timed out, the colleagues who receive the email and click on the link get access to the original user's session and personal information, such as last 10 items viewed, email address, interests, and so forth, etc.
Thanks
Liam
.
- Follow-Ups:
- Re: how to prevent users from sharing their cookieless session id?
- From: Bruce Barker
- Re: how to prevent users from sharing their cookieless session id?
- Prev by Date: Re: Architecture question
- Next by Date: Question About Default.aspx and Response.Redirect
- Previous by thread: Re: Architecture question
- Next by thread: Re: how to prevent users from sharing their cookieless session id?
- Index(es):
Relevant Pages
|
