> From: Dave [mailto:[EMAIL PROTECTED]
> Hi, I am using URL rewriting for session tracking, ie,
> session id is on the URL. After I login into a web
> application, if someone else knows my current session id,
> he/she can access my account using the session id. It is ok
> because it is difficult fo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dave,
Dave wrote:
> Is there a solution for this scenario? the same security hole for
> cookie based session tracking? In our case, we have to use URL
> rewriting because sometimes a new session is needed when users click
> some links on pages.
>
>
Hi Martin,
Thanks for your help.
I looked at the two links you provided. But I do not understand how they can
solve the problem. I must be missing something.
For SSL, the URL still needs to have session id, for example,
https://www.xyz.com/returnPage.jsp;jsessionid=188727usdfkj
Hi Dave
http://www.securityfocus.com/infocus/1774
suggests either implementing with
SSL connector
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
-or-
Encrypt each sessionid
If you dont have the former you'll definitely want to implement the latter..
heres an example
http://www.spiration.c
