Re: how to prevent users from sharing their cookieless session id?
- From: "Bruce Barker" <brubar_nospamplease_@xxxxxxxxxx>
- Date: Fri, 10 Mar 2006 10:24:53 -0800
this is the main disadvantage of using the url for session id. there are no
easy fixes. you can change the url session id on every page flip, and not
honor old session ids. this has the side effect if the users refreshes, they
have to login again. a better approach is to store session id in a hidden
field, and avoid redirects.
-- bruce (sqlwork.com)
"Liam" <Liam@xxxxxxxx> wrote in message
news:OZ9JLLGRGHA.4956@xxxxxxxxxxxxxxxxxxxxxxx
We are using cookieless sessions, and so the URL shows the session id,
e.g. http://ourdomain.com(ixbradnm5qmdfwikrt1mcfi3)/somepage.aspx.
When a user comes to our main page, they have to provide a username and
password. We authenticate the username and password against our database,
and if they match, we let the user in the door, so to speak, by assigning
session variables with a new visitid, and a unique visitorid, and then
redirecting the user to our internal pages.
We want each user's session to be unique to the user.
How can we stop the practice where a user, who has made it through the
door, pastes an inner page's URL into an email message and sends it to his
or her colleagues (when they find something they'd like to share, for
example)? If the session hasn't timed out, the colleagues who receive the
email and click on the link get access to the original user's session and
personal information, such as last 10 items viewed, email address,
interests, and so forth, etc.
Thanks
Liam
.
- References:
- Prev by Date: Re: .NET, ASP, SMS RAD Framework, Client/Server
- Next by Date: Re: how to prevent users from sharing their cookieless session id?
- Previous by thread: how to prevent users from sharing their cookieless session id?
- Next by thread: Re: how to prevent users from sharing their cookieless session id?
- Index(es):
Relevant Pages
|
