Enrique Arizón wrote:
I use "sequence numbers" to avoid the problem. It's basically a similar solution to the "secrets" mentioned in the article. An increasing integer number is send back to client with every request. The client must put it back to the server with each new request. It has the added advantage (that was really my primary intention) that it can be used with other usefull purposes (for example, forbidding reloading of "critical" pages by just checking the sequence number has/has not already been used). An external attacker has no piece idea what the next sequence number must be so Session Riding is not possible (At least that's what I think).
I assume you attach this number to the urls in the final HTML response? Passing it back as cookie is useless, AFAIS.
I don't know how this mechanism or something similar could be added in a general way to the Webware framework, but it would be great if brighter brain that mine could get it done.
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
