|
The session id in the servlet api is guaranteed to be unique, and the string
is quite long. The likely-hood that you would be able to guess someone
else's session id is extremely small. If you send back an altered session
id and the server has no session object with which to match, it will probably
through an exception and will need to be handled in some manner.
Also, there are other situations were it is not practical to rely alone on encoding each and every link to maintain sessions and session data. Sometimes it is necessary to create hidden fields in forms. In these cases the session data won't show up in the browser's url field. -ernie Andras Balogh wrote: Hi all, I have a strange question. When the session is maintained with URL rewriting, the session idis added at the end of a link. Now if i follow this link i can see a long session id number.What happens if i MANUALLY modify this number at client side? I will end in somebody elses session? This should be possible, no? Every answer is apreciated. Best wishes, Andras. |
- URL rewriting, is it safe? Andras Balogh
- Re: URL rewriting, is it safe? Ernie V
- Re: URL rewriting, is it safe? David Medinets
- Re: URL rewriting, is it safe? jon *
- Re: URL rewriting, is it safe? David Medinets
- Re: URL REWRITING, IS IT SAFE? Steve Geach
