When you mean 'session' its using methods like HttpSession session = req.getSession(true);? If yes...then...aren't they still using cookies? 'cause that's what I'm using. And when I test my app by turning off the cookies....my app is just...screwed
-----Original Message----- From: Christopher Williams [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 8:17 PM To: Tomcat Users List Subject: Re: Implementing a Login procedure, but avoiding cookies/session Magic? Actually, you could use URL-rewriting or hidden forms, but anybody using your page could change the value from "0" to "1" to fool your code into thinking they'd logged on. They could also do the same with a cookie if they reverse engineered your cookie data (which is not hard). Best to use the Session object as that's stored server side, and, conveniently, goes away when the user does. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
