Of course, if they can copy the URL, they can also look at the
cookies and copy them. You can add a separate cookie of your own and
cross validate them, but that only makes it harder. Or, if it is
available, you can keep the user's IP in their session and check that
the IP of each new request matches it. But, at some point, all of
this can be spoofed.
Chuck
On Mar 7, 2006, at 12:49 PM, Sacha Michel Mallais wrote:
On Mar 7, 2006, at 12:35 PM, Tanmoy Roy wrote:
I have an application which does quite a lot of form submissions. My
application is a secured application and if the Session id is exposed
then any user can copy the URL and paste the same in his/her browser
then he/she will be able to view the same page as that of the other
user. This has to be protected so that whenever he/she does that
he/she will be presented with a new login page.
You can tell WO to use cookies to store the session IDs. Check out
WOSession.setStoresIDsInCookies().
sacha
--
Sacha Michel Mallais Senior Developer / President
Global Village Consulting Inc. http://www.global-village.net/
PGP Key ID: 7D757B65 AIM: smallais
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/chill%
40global-village.net
This email sent to [EMAIL PROTECTED]
--
Coming in 2006 - an introduction to web applications using WebObjects
and Xcode http://www.global-village.net/wointro
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems. http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to [email protected]
