Re: Changing SessionId at every request

2003-12-03 Thread Kirk Wylie
re must be a solution for this trouble right Thanks Gary - Original Message - From: "Andrew Hill" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, December 03, 2003 3:14 PM Subject: RE: Changing SessionId at every requ

[OT] Re: Changing SessionId at every request

2003-12-03 Thread Adam Hardy
MAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, December 03, 2003 3:03 PM Subject: Re: Changing SessionId at every request I assume that Gurpreet wants to do it for security reasons and it's not a bad idea. It certainly means that nobody w

Re: Changing SessionId at every request

2003-12-03 Thread Gurpreet Dhanoa
ber 03, 2003 3:14 PM Subject: RE: Changing SessionId at every request > ahhh... ok I think I see what you mean > > So by 'hand rolled' sessionId what you mean is some kind of token that must > be submitted with each request to verify that it came from the real client? &g

RE: Changing SessionId at every request

2003-12-03 Thread Andrew Hill
ity though, I would think using SSL might be a safer option - though the performance is lower. -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Wednesday, 3 December 2003 17:33 To: Struts Users Mailing List Subject: Re: Changing SessionId at every request I assume tha

Re: Changing SessionId at every request

2003-12-03 Thread Gurpreet Dhanoa
gt; Sent: Wednesday, December 03, 2003 3:03 PM Subject: Re: Changing SessionId at every request > I assume that Gurpreet wants to do it for security reasons and it's not > a bad idea. It certainly means that nobody would be able to share a > session, and so therefor a session-hija

Re: Changing SessionId at every request

2003-12-03 Thread Adam Hardy
I assume that Gurpreet wants to do it for security reasons and it's not a bad idea. It certainly means that nobody would be able to share a session, and so therefor a session-hijack would become obviously immediately. I think expiring the session is overkill - I would just leave the session as

RE: Changing SessionId at every request

2003-12-03 Thread Navjot Singh
don't know why do you wish to do so? but it an be done. Write a filter. pass every request thru that. 1. Fetch the session, expire it. Server will assign new. 2. Fetch the session, don't expire the session, just append a timestamp to it. set a cookie and use that to maintain session. HTH navjot s

RE: Changing SessionId at every request

2003-12-02 Thread Andrew Hill
huh? This is a joke right? -Original Message- From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] Sent: Wednesday, 3 December 2003 14:14 To: Struts Users Mailing List Subject: Changing SessionId at every request HI, IS it possible to change the Session Id generated by the Web Server at ever