> My question is, how do you guarantee security of that
> information? Suppose
> that you have cookieId 222. You go into your cookies and change this
> manually to 333. Suppose that the person who *really* had
> cookieId 333 is
> currently logged on to your system, and thus their session is still
> valid. This would mean that you would be able to hijack
> another user's
> session. How do you get around this?
The server should digitally sign the cookie's value so that it can be sure
that it originated the cookie.
For example, instead of sending the ID, it could send concat(ID, random())
(in your example, "333-43756285628523526"), and store the random value in
the HttpSession (say in a .random field). When it gets a cookie, it compares
session[cookie.id].random with cookie.random. If they match, the cookie is
authentic.
- Avi
--
s/\be(\w+)/e-\1/g;
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
