Disposable session ID for Web applications for Internet access capable mobile phones
Original Publication Date: 2002-Oct-10
Included in the Prior Art Database: 2003-Jun-21
Disclosed is a device that provides a safer session ID for Internet access using HTTP. Many Web browsers embedded in Internet-access-capable mobile phones are not capable of storing cookies or the basic authentication login information (i.e. user ID and password). In order to allow session-based applications such as shopping cart applications to establish sessions so that the shopping cart can be identified as belonging to a particular user when cookies cannot be used, one method is to embed the session IDs in the URLs. The Web server (httpd server, Web application server, proxy server, etc.) generates a session ID if a user's login is successful, and after that the user submits HTTP requests using a URL that includes the session ID. The server extracts the session ID and identifies the accessing user and the session can be established. Using this method, there are two problems: (1) It is easier to impersonate some other user's session than when using cookies (i) A session ID can be snooped easily, and if somebody else sends the URL with the captured session ID, it is easy for the imposter to pretend to be the proper user while the session is still active.