We are facing problems while using cookieless session. When the user copies
and pastes the url from one machine to another, he is able to access the data
entered by the first user. Is there any way to eliminate this problem.
Thanks in advance.
Hello ,
The session identifier is used to identify which session the visitor is linked to.
As it sounds....
Consequently , if someone does a copy/paste of one of your cookie-less
URLs, he gets access to your session.
The role of the SESSIONID is to establish the link : this is an identification
process. What you're looking for is an authentication process : after identifying
which session is requested, you want the application to make sure nobody is
usurpating an identity.
You need to add a few checks to make sure of this. There are many discussions
about that , the term used by many security professionals is "session hijacking".
For example :
- adding secure tokens to your urls
- IP address to session-id link
- challenged URLs
- ...and so on...
Good luck!
Antonio