Re: Session Tracking problem...

[Thor Heinrichs-Wolpert]

Not really.  If I can work out the cookie scheme from cookies being set by your application, then not using URL rewriting doesn't buy you much more.  You can elect to set other cookies, or put other tickets into the URL that change per request, but even those can be worked out, given enough horsepower.  You cannot add info, like IP address, since those may not be unique, or in the case of AOL (as an example) users IP addresses continue to change depending on which gateway they come through to hit your site.   If you really need more security that session cookies, then use SSL and browser auth or certificates.   Thor HW ----- Original Message ----- From: Liwen Chen To: [EMAIL PROTECTED] Sent: Thursday, May 11, 2000 8:52 PM Subject: Re: Session Tracking problem... Hi, Jackson, thanks for your comments. Actually, others can know the session id from viewing the source easily. i just wonder if there is a way to hide the session id without cookie.   liwen ----- Original Message ----- From: Jackson Ching To: [EMAIL PROTECTED] Sent: Friday, May 12, 2000 11:31 AM Subject: Re: Session Tracking problem... Liwen,       another way is to use of hidden fields in your form.       <FORM ... >       <INPUT TYPE=HIDDEN NAME=SESSIONID VALUE=yourSessionId>     </FORM>   jack *********** REPLY SEPARATOR *********** On 5/12/00 at 8:49 AM Liwen Chen wrote: Hi, friends, I got a problem about Session Tracking in Servlets:   When user disable cookie, we cannot using HttpSession to pass SessionID around servlets. Everytime, the SessionID is a new one for the request. The alternative way is using URL rewriting, as suggested by some books. My problem is: can I do it without using URL rewriting? I want to do so because URL rewriting has some disadvantages like lack of security...   Thanks for your consideration!   Regards Liwen