Hi > How do I deal with a situation where a user logged in and found something interesting on my site and decided to give the URL address (with jsessionid) of the page to his/her friend? Since the URL has the session id of the sender, the receiver clicks on the link and will have access to the sender account details.
You can do some things: 1. If the remote ip changes, drop the session. 2. If referer of the request is not set, drop the session. Both have their drawbacks tough: 1. will fail if the dynamic ip changes: The legitimate user will be logged out. 2. will fail if the browser or a proxy removes the referer: The user will not be able to login. Also, this will no secure everything: Two users behind one proxy will not be destinguishable, therefor if they copy urls, the problem recurs. Obviously, there is another solution: Switch to cookies instead of SID in urls. And on the other hand: Warn the user upon login not to share urls. It is their liability not to share their password, so if they are warned, it can be their liability not to share session ids. Regards, Steffen
smime.p7s
Description: S/MIME cryptographic signature
