We are using cookieless sessions, and so the URL shows the session id,
e.g. http://ourdomain.com(ixbradnm5qmdfwi.../somepage.aspx.
When a user comes to our main page, they have to provide a username and
password. We authenticate the username and password against our
database, and if they match, we let the user in the door, so to speak,
by assigning session variables with a new visitid, and a unique
visitorid, and then redirecting the user to our internal pages.
We want each user's session to be unique to the user.
How can we stop the practice where a user, who has made it through the
door, pastes an inner page's URL into an email message and sends it to
his or her colleagues (when they find something they'd like to share,
for example)? If the session hasn't timed out, the colleagues who
receive the email and click on the link get access to the original
user's session and personal information, such as last 10 items viewed,
email address, interests, and so forth, etc.
Thanks
Liam