Re: [jug-discussion] HttpSession question...

Thu, 19 Feb 2004 21:41:56 -0800 

Hi Robert,

Your understanding is the same as mine. But, the security question you pose
is interesting. I wonder if it would be possible to change your session ID
and access someone else's session. Depending on the application, this could
be a security risk.

I'll have to look into that...

Andy

On 2/19/04 8:55 PM, "Robert Zeigler" <[EMAIL PROTECTED]> wrote:

> Recently, somebody proposed an interesting question to me which, though
> I'm pretty sure I know the answer, I've been unable to verify.
> So, I decided to turn here to see if someone with more wisdom than I had
> an answer. ;)
> My understanding of HttpSessions is that, unless you specifically write
> something to a cookie, the only thing stored on the client side is the
> sessionID (either via a cookie or via URL rewriting). However, if I do a
> session.setAttribute("someattr",someobject), that object is simply
> stored (typically in memory, though not necessarily) server side,
> available in the web application context.
> Correct so far?
> In other words, session "attributes" are not directly editable client
> side... right? I mean, this makes complete sense to me, as the client in
> a web app really doesn't give a hoot about foo or bar, it just wants
> html. However, someone made a claim to me recently that some information
> stored as a session attribute could be alterred directly by the user,
> client side, and therefore posed a security risk to a particular
> application.
> Any thoughts?
> Thanks for the help on this... I've looked over the javadocs, etc., and
> while they don't say anything to negate my viewpoint, they also don't
> say anything specifically to validate it.
> 
> Robert
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 

-- 
Andrew Barton 
eBlox, Inc. 
 
520.903.2541 x102 voice
520.903.2542 fax 

Discover storeBlox and webBlox at the new eBlox.com!
http://www.eblox.com
mailto:[EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to