Java Reference
In-Depth Information
http://www.httprecipes.com/1/8/cookieless.php
This URL presents a login page, as seen in Figure 8.1.
Figure 8.1: A Login Page
To login to the system, enter the user id of “falken” and the password of “joshua”. You
will then be taken to a search page. This search page is only available from inside of the web
site. You must login to access this page. However, notice the URL. It is now much longer, and
will be something similar to:
http://www.httprecipes.com/1/8/menunc.php?session=9pwoditnygyyvot9
7k2jexx8oakelnvz
This URL specifies a session. A session is usually nothing more than a row in the web
server's database that links a session string, as seen above, to a user. The only way to imitate
another user, is to try and pick the session number for another user that is currently logged
into the system. This will usually not work either, because the web server usually also stores
the IP address associated with a session. As a result, if another user tries to hijack a session,
the IP addresses will be different, and the attack will be thwarted.
