The session ID is a servlet engine level entity
it is not set by turbine..
But the hijacking you speak of is totaly possible
and there is nothing to stop it..
There is not enough other information available
from the client in the http request to ensure
that the client is the same entity that made previous
requests, that is what the session id is for.
"Diethelm Guallar, Gonzalo" wrote:
>
> This may show my ignorance; here it goes...
>
> When a user visits a Turbine app, Turbine
> creates a session for the user, and sends
> the user an opaque identifier for the session
> (in the shape of a cookie or a URL parameter).
> Say it is a URL parameter, for simplicity.
> How easy would it be for another user on a
> separate machine to just copy the whole URL
> and, to a certain extent, "hijack" the session?
> What information is associated with this
> identifier within Turbine to ensure that the
> client that originally authenticated is
> the one who keeps sending requests for the
> session?
>
> Please correct any misunderstandings that I
> may have about how Turbine operates. Thanks,
>
> --
> Gonzalo A. Diethelm
> [EMAIL PROTECTED]
>
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
