On Sat, 31 Jul 2004, Manish Prabhune wrote:
> Passing session ID in URL is fine.
> But if i copy the URL and mail it to another
> mobile phone the session gets continued there.
Not necessarially. It's continued if the other person comes to the site
before the session expires, and you're not doing any other checking.
If you're worried about session keys being passed around, I would check
the IP address and the user-agent header as well, and not use that
session if they're not the same as the ones the session was originally
started with.
cjs
--
Curt Sampson <cjs_at_cynic.net> +81 90 7737 2974 http://www.NetBSD.org
Don't you know, in this new Dark Age, we're all light. --XTC
Received on Sun Aug 1 05:40:42 2004