Thanks for the validation. =)
Robert
Chad Woolley wrote:
I think you are right, otherwise the J2EE spec would be insecure by definition. A *request* attribute can be changed just by appending it as a URL parameter, but that is really just another name for a form field. Maybe that is what they are thinking of.
Robert Zeigler wrote:
However, someone made a claim to me recently that some information stored as a session attribute could be alterred directly by the user, client side, and therefore posed a security risk to a particular application.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
