Hi, I am using URL rewriting for session tracking, ie, session id is on the
URL. After I login into a web application, if someone else knows my current
session id, he/she can access my account using the session id. It is ok because
it is difficult for others to guess my session id. But right now I encounter
an issue that will breach the security.
Our web application is using a 3rd party payment system, when a user clicks
pay button, we need to tell the payment system a return URL, a page URL to go
after a user finishes with the payment system. The return url needs to have the
user's session id so that he/she will not need to login again after returning
from the payment system. In this case, the 3rd payment system will know the
user's session id, a security hole.
Is there a solution for this scenario? the same security hole for cookie
based session tracking? In our case, we have to use URL rewriting because
sometimes a new session is needed when users click some links on pages.
In my opinion, session id is not sufficient to identify a session, it should
have client's ip address for more security.
Thanks for any ideas.
Dave
---------------------------------
Looking for last minute shopping deals? Find them fast with Yahoo! Search.
