A
A
If a session's chances of being hijacked are very high because of the same
sessionid going back and forth between client and server,
why not make the send back a sessionid cookie with each response ? and
associate the sessionid with the httpsession.
I can see how it might be a little more processing, but is there anything
inherently flawed in this thinking ?
I'm trying to understand this thing, so its not about having just a super
secure connection, but I'm looking for a cheap way to improve the
security...
sessionid going back and forth between client and server,
why not make the send back a sessionid cookie with each response ? and
associate the sessionid with the httpsession.
I can see how it might be a little more processing, but is there anything
inherently flawed in this thinking ?
I'm trying to understand this thing, so its not about having just a super
secure connection, but I'm looking for a cheap way to improve the
security...