hmm....... lets see...
for question two, if you do a bitwise XOR of the IP and session ID you
can get a new ID.
Then when you want to "decrypt" the new ID, you can do a bitwise XOR of
the new ID with the accessing IP resulting in the origional sessionID.
If the IP is wrong, you get back a sessionID that is not the origional.
This is a simple method, but better than nothing.
~Rob
Blake Binkley wrote:
>
> I have searched all over the place and see alot about "URL rewriting" here
> is what I know:
>
> you can use
> <A href=<%= response.encodeURL("NewPage.jsp") %> >
> to force a single link to encode the session if cookies are turned off
>
> when cookies are turned off and the above method is used it is easy for a
> session to be loaned/stolen by just copying the url and IM (Instant
> Messaging) to a friend who also has cookies turned off
>
> the above method of using rewriting is bulky and forces either designers to
> learn some jsp code or the programmers to replace every link on every page
> with the above code.
>
> My Questions:
>
> is there no setting in server.xml that we can set to have all anchors and
> form actions ending in .jsp rewritten?
>
> perhaps to add an extra level of security can we not encrypt the jsessionId
> with the value of Remote_IP so that it invalidates on a bad decryption?
>
> Blake Binkley
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
--
_______________________________________
Robert Wohleb
Web Applications Development Manager
Parafoil Software, Inc.
_______________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
