Wilson G. wrote: > Hi everyone, > > I found out a weird thing today. I logged in to a Struts app and got > forwarded to the homepage, which contains a sortable displaytag table. The > URL for the sortable columns of the table contains the user name and password > I entered! > > For example, on the login page, I used the login Test/myPassword, and the URL > for a sortable column is the following: > > http://127.0.0.1:7767/test/homepage.do?d-1111-s=3&d-1111-o=2&passwd=myPassword&submit=login&username=Test > > Any idea why it does that, and how I can fix this security risk? > > If the <display:table> does not have a requestURI attribute then displaytag will use the current URL to request changes to the table. Looks like in this case it's picked up your username and password from login and put them into the request. I would guess that the login form is using GET to send the username and password rather than POST. Changing the action attribute of the <form> element to POST should remove them from your displaytag URLs. Logging in should be a POST action because you are changing the server's state (it now registers you as logged in) rather than just requesting some data.
Ed! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ displaytag-user mailing list displaytag-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/displaytag-user
