ahhh... ok I think I see what you mean So by 'hand rolled' sessionId what you mean is some kind of token that must be submitted with each request to verify that it came from the real client? (Rather like the token mechanism used to detect double submissions)
If he is after real security though, I would think using SSL might be a safer option - though the performance is lower. -----Original Message----- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Wednesday, 3 December 2003 17:33 To: Struts Users Mailing List Subject: Re: Changing SessionId at every request I assume that Gurpreet wants to do it for security reasons and it's not a bad idea. It certainly means that nobody would be able to share a session, and so therefor a session-hijack would become obviously immediately. I think expiring the session is overkill - I would just leave the session as it is and use the filter to check and change my own hand-rolled session id. Adam On 12/03/2003 08:20 AM Navjot Singh wrote: > don't know why do you wish to do so? > but it an be done. Write a filter. pass every request thru that. > > 1. Fetch the session, expire it. Server will assign new. > 2. Fetch the session, don't expire the session, just append a timestamp to > it. set a cookie and use that to maintain session. > > HTH > navjot singh > > >>-----Original Message----- >>From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] >>Sent: Wednesday, December 03, 2003 11:44 AM >>To: Struts Users Mailing List >>Subject: Changing SessionId at every request >> >> >>HI, >> >>IS it possible to change the Session Id generated by the Web >>Server at every request for the same client. I wil make it much >>more clear. >> >>Say i have a Servlet running on Tomcat. what i want is when ever >>any User lets assume USER A ask for a request i want to change the >>sessionId server variable which has been gerenrated by the Web >>Server to uniquely identify the client. >> >>Purpose behind doing this is to make every request safe. >> >> >>Any suggections will be higly appreciated. >> >> >>Thanks in Advance >>Gary >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
