tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steffen Heil" <>
Subject AW: Session ID in URL
Date Sat, 23 Oct 2004 08:11:07 GMT

> How do I deal with a situation where a user logged in and found something
interesting on my site and decided to give the URL address (with jsessionid)
of the page to his/her friend? Since the URL has the session id of the
sender, the receiver clicks on the link and will have access to the sender
account details.

You can do some things:
1. If the remote ip changes, drop the session.
2. If referer of the request is not set, drop the session.

Both have their drawbacks tough:
1. will fail if the dynamic ip changes: The legitimate user will be logged
2. will fail if the browser or a proxy removes the referer: The user will
not be able to login.

Also, this will no secure everything:
Two users behind one proxy will not be destinguishable, therefor if they
copy urls, the problem recurs.
Obviously, there is another solution: Switch to cookies instead of SID in

And on the other hand: Warn the user upon login not to share urls.
It is their liability not to share their password, so if they are warned, it
can be their liability not to share session ids.


View raw message