Re: [jug-discussion] HttpSession question...

Chad Woolley Thu, 19 Feb 2004 20:44:18 -0800

I think you are right, otherwise the J2EE spec would be insecure by definition. A *request* attribute can be changed just by appending it as a URL parameter, but that is really just another name for a form field. Maybe that is what they are thinking of.

Robert Zeigler wrote:

However, someone made a claim to me recently that some information stored as a session attribute could be alterred directly by the user, client side, and therefore posed a security risk to a particular application.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [jug-discussion] HttpSession question...

Reply via email to