cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joerg Heinicke <jheini...@virbus.de>
Subject Re: Need Session Help!
Date Fri, 26 Sep 2003 22:55:52 GMT
Sonny Sukumar wrote:
> 
> Hi guys,
> 
> I know I've brought up some session questions before, and I gained great 
> insight from those discussions, but there's some issues I want to 
> understand better before I make implementation decisions.  Assume the 
> context of a B2C e-commerce site when considering these issues....
> 
> ---Assume URL encoding is being used because a customer has all cookies 
> turned
> off.
> 
> 1.) Customer puts a few items in her shopping cart.
> 2.) Customer logs in to view some account details.
> 3.) Customer then sees her friend on IM and copies a product page URL to 
> her
> friend.  This URL contains her session ID.
> 4.) The friend clicks on the link and views the product page.  However, she
> now can click on "My Account" or whatever or "My Cart", and because she'll
> appear to be the first customer (she has the same session ID), she can view
> all the personal details she shouldn't be able to.
> 
> What's the best way to go here?

What about binding the session on an IP address? As I wrote the last 
time I don't like cookies (security problem if somebody does not logout 
explicitely). For link rewriting you have the problem above. So why not 
testing server side if the login for a specific session was done using 
the same IP as the current request. The friend who got the copied link 
has not a valid IP/sessionid combination - and has to login itself.

Joerg


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message