Hi,
There is a way to track the accessing of the application using referer.
This is effective if the user is directly typing the URL instead of clicking
a link which he is supposed to. The referer is generally null if you
directly type the url in the URL window and access the server. Also the
referer also indicates where the request actually originated from. So use
referer to track whether the request came from authentic site.
For example, this is what we are doing in our pages and servlets. The
code snippet will return a boolean indicating whether the request is
authentic or not. It checks whether the referer is null, if not compares the
host in the referer with the host of the request :
>>>
String referer = request.getHeader("referer");
if ( referer == null )
return false ;
else // Check if the request has come from page send by this server only
return ( referer.indexOf(request.getHeader("host") +
request.getContextPath()) >= 0 ) ;
>>>
The above "else" condition can be used only if you have one web server
for your application (ie not a load balanced web server environment). But in
any case you could always check for the referer being null. Small code but
quite effective in eliminating most of the direct URL accesses.
Thanks
Ajay Mahajan
Wipro Technologies
Date: Thu, 21 Sep 2000 07:42:53 -0500
From: Chris Heinemann <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Session Tracking Problem???
Message-ID: <[EMAIL PROTECTED]>
--------------3F83833BDDECC429B40D28A5
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
There isn't anyway to know which browser window it is from. However, you
could set a
session variable to the IP address that the session belongs to. Then on
each request you
could check that the request made comes from the value in the session.
EG:
session = request.getSession();
if (session == null){
session = request.getSession (true);
session.setAttribute ("IP_ADDR",request.getRemoteAddr());
}
String ipaddr = session.getAttribute ("IP_ADDR");
if (ipaddr.equals (request.getRemoteAddr())){
//do the proper stuff
}else{
//send a security message
}
Hope this helps,
Chris Heinemann
Internet Administrator, Horace Mann
Raj Kumar Jha wrote:
> Hi,
> I am using URL rewriting for session tracking. The problem here is that
> if someone makes a note of the session id from the browser or listens to
it
> on the net and uses the same session id to request a service I am not able
> to differentiate between the two users. Any suggestions on how I can tie a
> session to a particular browser window?
> Thanks in Advance,
> Raj
> [EMAIL PROTECTED]
------------------------------------------------------------------------------
Archives: http://www.egroups.com/group/jrun-interest/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/jrun_talk
or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the
body.
