It's not a secret anymore!
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes Risk on session tracking Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "Risk on session tracking" Watch "Risk on session tracking" New topic

Risk on session tracking

Nesan Krish
Ranch Hand

Joined: Feb 20, 2004
Posts: 40
Cade book (page 144) discusses the risks on usind Cookies and URL Rewriting for session tracking, and concludes risk is high on URL Rewriting which I could not understand completely. Can anyone explain this point further? Thanks in advance.
Frank Silbermann
Ranch Hand

Joined: Jun 06, 2002
Posts: 1405
Storing the session ID in the URL requires a relatively short session ID. That may make it difficult to prevent hackers from breaking into other people's sessions by modifying the session ID. If you make the session ID a cookie or hidden form field, then first of all the hacker needs to be a bit smarter to hack his own browser first. Second, you can make the session ID larger, which makes it harder to guess a valid session ID.
Dan Drillich
Ranch Hand

Joined: Jul 09, 2001
Posts: 1183

A side issue.

The 'Professional Java Server Programming J2EE Edition' points to an interesting point about URL rewriting: "URL rewriting requires that all pages in the application be dynamically generated. URL rewriting cannot be enforced for static HTML pages, because the unique URL path parameter (the jsessionid) is dynamic and differs from user to user."


William Butler Yeats: All life is a preparation for something that probably will never happen. Unless you make it happen.
I agree. Here's the link:
subject: Risk on session tracking
It's not a secret anymore!