On Tue, 9 May 2000, Jeffrey W. Baker wrote:
> Why is the session ID invalid just because they left for a week? Ask them
> to authenticate again and take them right back to whatever they were
> doing.
>
> On some sites bookmarking the URL with the session ID embedded is the
> optimal behavior.
>
> -jwb
Session-jumping is a key concern in my application, once a user logs,
they're going to be looking at sensitive information that pertains
directly to that user. Sessions need to be timed and expire in a short
amount of time (30 mins or so) of inactivity.
If a registered user comes back after that time (from a bookmark or
refresh), I'm going to redirect them to the login page, and then putting
them to the originally requested document after they authenticate, just
like you said.
I just can't see tying in the ip address, or any other mechanism as being
100% effective for session management...
Jay