Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Risk on session tracking

 
Nesan Krish
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Cade book (page 144) discusses the risks on usind Cookies and URL Rewriting for session tracking, and concludes risk is high on URL Rewriting which I could not understand completely. Can anyone explain this point further? Thanks in advance.
 
Frank Silbermann
Ranch Hand
Posts: 1406
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Storing the session ID in the URL requires a relatively short session ID. That may make it difficult to prevent hackers from breaking into other people's sessions by modifying the session ID. If you make the session ID a cookie or hidden form field, then first of all the hacker needs to be a bit smarter to hack his own browser first. Second, you can make the session ID larger, which makes it harder to guess a valid session ID.
 
Dan Drillich
Ranch Hand
Posts: 1183
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nesan,

A side issue.

The 'Professional Java Server Programming J2EE Edition' points to an interesting point about URL rewriting: "URL rewriting requires that all pages in the application be dynamically generated. URL rewriting cannot be enforced for static HTML pages, because the unique URL path parameter (the jsessionid) is dynamic and differs from user to user."

Regards,
Dan
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic