> On Fri, 20 Oct 2000, Lorena Carlo wrote:
> > Can somebody tell me if there is a risk in declaring a session
> > variable that contains passwords?.
>
> Ask yourself why you need to. People usually store them encrypted in
> cookies.
Back before JSP and the servlet spec became popular, the session
variables were often called server-side cookies. If you can be sure
that the mechanism that keeps the variables isn't going to be exposed
to the outside world, then it's relatively safe for use in
trivial-security circumstances. I suspect Lorena meant something like
this. However, if the storage mechanism is relatively secure, then
why bother storing the password? Why not just store the
logged-in=true that somebody suggested?
In more secure settings, what is often done is: the server side
generates an encrypted temporary serial number that it hands to the
browser (under SSL in any event, but). The server side keeps track of
this info with a session variable with a short (5-10 minutes) timeout
that is refreshed with each request that comes in. This helps to
narrow the possible window of vulnerability if the user walks away
from the machine without shutting down the browser.
Of course this *still* isn't very secure, but then again nothing
taking place over a browser really is....
Steven J. Owens
[EMAIL PROTECTED]
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
