Yes, but if you give them 20-char session IDs, their chances of guessing someone elses are really quite low. Very, very low. Tiny, in fact.
Of course, this doesn't stop someone hijacking their session. For this, you would want to send a different session number with every page, and only allow them to continue if you get it back with the request for the next page. Quite difficult to do, and very annoying for them if they want to browse in two windows at the same time. Or use SSL. ____________________
Jeremy
I didn't believe in evil until I dated it. | [reply] |
and if they go back 3 pages and do somethign different so that they are using the session ID from 3 requests ago, are they just out of luck?
or, to be a little more explicit,
| action | sends session_ID |
| user comes to site | n/a |
| server serves main page | n/a |
| user logs in | n/a |
| server shows logged-in page | 123 |
| user requests page 52 | 123 |
| server gives page 52 | 456 |
| user requests page 52-c | 456 |
| server gives page 52-c | 135 |
| user requests page 52-f | 135 |
| server gives page 52-f | 237 |
user hits "back" to go
back to login screen
and requests page 38 | 123 |
| server was expecting 237 ... what does it do? | ? |
this case, and others like it, make me think this method is unworkable. but maybe you see it differently; maybe i'm overlooking something, or maybe you just are willing to do more work than i am. but if it will continue to accept old session_ID's, then why bother changing them? and if it won't, i think a lot of people are going to be upset at the inability to "back".
| [reply] |
Yes, that's why it's annoying. Well spotted. Use SSL instead.
This system was common at one point in time - it's not so bad, you just have to use the navigation buttons the site provides. ____________________
Jeremy
I didn't believe in evil until I dated it.
| [reply] |