Hi guys,
I know I've brought up some session questions before, and I gained great insight from those discussions, but there's some issues I want to understand better before I make implementation decisions. Assume the context of a B2C e-commerce site when considering these issues....
---Assume URL encoding is being used because a customer has all cookies turned
off.
1.) Customer puts a few items in her shopping cart.
2.) Customer logs in to view some account details.
3.) Customer then sees her friend on IM and copies a product page URL to her
friend. This URL contains her session ID.
4.) The friend clicks on the link and views the product page. However, she
now can click on "My Account" or whatever or "My Cart", and because she'll
appear to be the first customer (she has the same session ID), she can view
all the personal details she shouldn't be able to.
What's the best way to go here?
What about binding the session on an IP address? As I wrote the last time I don't like cookies (security problem if somebody does not logout explicitely). For link rewriting you have the problem above. So why not testing server side if the login for a specific session was done using the same IP as the current request. The friend who got the copied link has not a valid IP/sessionid combination - and has to login itself.
Joerg
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
