You are correct. And that is one more reason to only use cookies to save
session tokens instead of using the URL.
On the other hand, you could pass two tokens. One of the tokens being a
sequencer combined with a reboot counter. And the second being a GUID.
Both of the tokens can be used to identify a session on the server.
Since the traffic coming through the toysrus.com site is so large, I've
been thinking a lot about this topic.
On Thu, 25 Nov 1999, Andras Balogh wrote:
> Hi all,
>
>
> I have a strange question. When the session is maintained with URL
>rewriting, the session id
> is added at the end of a link. Now if i follow this link i can see a long session id
>number.
> What happens if i MANUALLY modify this number at client side?
> I will end in somebody elses session? This should be possible, no?
>
>
> Every answer is apreciated.
>
> Best wishes,
>
> Andras.
>
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
