If you use the REMOTE_USER environment variable
to validate the session id against, wouldn't that
ensure that even if the session id is valid that
it actually belongs to the user who sent it.
Cheers
Steve
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
