This is a standard issue with servlet applications.
One solution is to track the original ip address in the session, and
reject any requests that come from a different ip address.
Another solution is to configure your container/application to store
session information in cookies instead of the url.
On 4/12/07, Wong, Emmanuel (Sam) <[EMAIL PROTECTED]> wrote:
Hi:
Could we hide the session id on the URL? It seems if I capture the
URL with the session id, I was able to get into the application. Thanks.
--> Sam Wong
