Hi all,

I have some quesitons regarding session id's.

Consider the following scenario:

User requires access to a web application for a long period of time
with inactivity. Therefore assume that sessionID never expires.

Session information stored on web server (or application server) says
that this user has read-only access to the information shown on the
page which is extracted from a database.

The application auto refreshes the page on the browser every 15
minutes with updated info that other users may have entered in the
preceding period.

Is it possible for:

1.  Another user to change the session information on the server and
change access from read only to write (by knowing the session id)?

2.  Knowing the session id (perhaps from info on the URL) can one
create another session from another browser using the same session ID?

3.  How can you effectively limit concurrent access to only 1 session?

4.  If client side certificates were to be used, could you create
another session from another browser once the first session was
authenticated?  ie, how do you restrict the access to only one
browser?

5.  If you are using server side validation for all user invoked
queries, is it still possible to force data into the application to
elevate your role?  Assume that user roles are clearly defined in the
db.

6.  If a user with high privileges (such as write to db) leaves a
workstation unattended with no session timeout, are there any controls
that one could put in place to still validate the user is the
privilged user after a period of time?  for example keep session
active, but to make any changes application must validate information
on a usb key?

7.  How do you choose between session ID's tagged in URL, Session IDs
in cookies?  How do you restrict the information in either URL or
cookie so that users can't use this info to abuse the applicaiton?

Thanks

Johnny