----- Original Message -----
Sent: Friday, May 12, 2000 2:09 PM
Subject: Re: Session Tracking
problem...
Not really. If I can work out the cookie
scheme from cookies being set by your application, then not using URL
rewriting doesn't buy you much more. You can elect to set other cookies,
or put other tickets into the URL that change per request, but even those can
be worked out, given enough horsepower. You cannot add info, like IP
address, since those may not be unique, or in the case of AOL (as an example)
users IP addresses continue to change depending on which gateway they come
through to hit your site.
If you really need more security that session
cookies, then use SSL and browser auth or certificates.
Thor HW
----- Original Message -----
Sent: Thursday, May 11, 2000 8:52
PM
Subject: Re: Session Tracking
problem...
Hi, Jackson, thanks for your comments.
Actually, others can know the session id from viewing the
source
easily. i just wonder if there is a way to hide
the session id without cookie.
liwen
----- Original Message -----
Sent: Friday, May 12, 2000 11:31
AM
Subject: Re: Session Tracking
problem...
Liwen,
another way is to use of hidden fields in your
form.
<FORM ... >
<INPUT
TYPE=HIDDEN NAME=SESSIONID VALUE=yourSessionId>
</FORM>
jack
*********** REPLY SEPARATOR
***********
On 5/12/00 at 8:49 AM Liwen Chen wrote:
Hi, friends, I got a problem about Session
Tracking in Servlets:
When user disable cookie, we cannot using
HttpSession to pass SessionID around servlets. Everytime,
the SessionID is a new one for the request.
The alternative way is using URL rewriting, as suggested by
some books. My problem is: can I do it
without using URL rewriting? I want to do so because URL
rewriting has some disadvantages like lack
of security...
Thanks for your consideration!
Regards
Liwen
