If you're worried about the session data being compromised or otherwise
stolen, you could just hash it. MD5 the user's password at login and store
the hash. Then when you need to re-prompt the user, hash the answer and
compare. That way the password can't be ripped off if someone finds a way
to get at that session data.
Mike
-----Original Message-----
From: A mailing list about Java Server Pages specification and reference
[mailto:[EMAIL PROTECTED]]On Behalf Of Lorena Carlo
Sent: Friday, October 20, 2000 1:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [JSP-INTEREST] How risky it is to store passwords in a
session variable
Hello all, Thanks for the answers, but you haven't really answer me if it is
dangerous to do this or not. The reason why I want to do this is for
validating a user after he has accessed the program, I want him to re-enter
the password for some operations, and I don't want to access again the
database, so I want to validate it with the session variable.
Please answer me the question, and give alternatives if this is dangerous.
Thanks in advance
Lorena
----- Original Message -----
From: T A Flores <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 20, 2000 3:01 PM
Subject: Re: How risky it is to store passwords in a session variable
> I am unclear as to why you want to store a password in session. Why
> don't you just pass around some type of validated indication and not
> the password. Such as login=true;
>
> ----- Original Message -----
> From: Lorena Carlo <[EMAIL PROTECTED]>
> Date: Friday, October 20, 2000 12:12 pm
> Subject: How risky it is to store passwords in a session variable
>
> > Hello all,
> >
> > Can somebody tell me if there is a risk in declaring a session
> > variable that
> > contains passwords?.
> >
> > Thanks in advance
> >
> > Lorena
> >
> >
> ========================================================================
> ===
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > JSP-INTEREST".
> > Some relevant FAQs on JSP/Servlets can be found at:
> >
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.html
> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
> >
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
