refresh in frameset

Anon

Hi,
i use in frameset and sessionID that create
in the cgi ,if the user click on the menu its
not problem because i sending the session but
when he click on refresh i dont send the session because the explorer go to the address bar ("10.0.0.127/main.cgi") without
the session what can id do?
i do not want to put the session on my address bar (security)!
how can i know if the user click on refresh??

frigidman

"i do not want to put the session on my address bar (security)! "

I don't want to bust your bubble, but wherever you put the sessionID in an html page, wether in hidden input, or whatnot, people are going to be able to find out what it is.

The whole point of a sessionID per user, is so on the server side you can keep track who is whom.

Only way to truly hide what a sessionID is in someones browser, is by encrypting it, and using a https SSL layer to help prevent prying eyes, and adding backend IP checks with every form and link submittal to make sure no one is hijacking the sessionID.