Hi,
That brings me to a related question.
How to make sessions secure and unfakable to a reasonable extent?
user can use ssl to loggin and create sessions. But ssl is expensive and an
overkill for most purposes.
1. How can ssl sessions be useful for normal session if they are considered
different server?
2. How can the cookies passed between client and server that identified the
sessions be made reasonable secure?
So that people can not fake it simply by reading a text file and editing
it...
Thanks for the great question/answers!
KZL
On Tue, 21 Dec 1999 17:30:32 -0800, A mailing list for discussion about Sun
Microsystem's Java
Servlet API Technology. wrote:
> Jean Bresse wrote:
>
> > Hi:
> >
> > I know that a session can be destroyed by invoking the invalidate()
> > method. It can also be destroyed once a certain time has passed,
> > usually 30 minutes. The problem is as follow:
> >
> > 1) User A starts a session, then closes his/her browser.
> >
> > 2) User B starts the invokes the same browser.
> >
> > Our environment wants to treat user B as a user with no session (for
> > example, the user is prompted to log on, and only THEN a session is
> > instantiated). Is there a way for the server to destroy the session
> > upon the user closing the browser?
> >
> > If this is the right way to approach the problem, suggestions for
> > solution are most welcome! If any of the above is incorrect, your
input
> > is even more appreciated!
> >
>
> Most servlet containers configure their session ID cookies with the age
value
> that says "this cookie expires when the browser is closed" for precisely
this
> reason. In Java, you do this by calling Cookie.setMaxAge() with a
negative
> argument. Therefore, as soon as user A closes the browser (or it crashes
on
> them :-) and user B starts it, all the session cookies are gone.
>
> As a side effect (for Netscape at least) this setting causes the cookie
to
> never be written out to the cookies.txt file, since there is no reason to
save
> it. This reduces the risk of someone being able to snoop your hard disk,
swipe
> your session ID, and impersonate you.
>
> >
> > Jean Bresse
> >
>
> Craig McClanahan
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
_______________________________________________________
Visit Excite Shopping at http://shopping.excite.com
The fastest way to find your Holiday gift this season
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
