Greetings: One of my requirements is single-sign-on, whereby the user logs in only once for all services. The username and password are captured at login and stored in session variables for this purpose. Now some of the services require the password for authentication, so I pull this from the seesion. So far so good. But in my testing, usually after some Exception has occurred, I have occasionally seen the password appear in the URL even though I never explicitly pass it this way, and never would, of course.
Since unanticipated exceptions do occur, even in production software, this is a concern and I'd like to know why this is happening. I suspect it has something to do with Turbine's capability to automatically stick cookies into the URL when the browser disables them, which I have not yet studied. Is there a way to "protect" certain session values from ever being handled this way? If not, how do others handle the transfer of sensitive information like this, which must never be exposed, even accidentally? Thanks, Bruce _________________________________________________________________ "It's a magical world, Hobbes, ol' buddy...let's go exploring!" ---Calvin Phone: 202-651-8553 Pager Email:[EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
