BTW, It is possible to spoof someone else's session id cookie, posing a security risk. An application with serious security concerns (banking, ecommerce) would need to pay attention to this vulnerability.
Nick
On Feb 19, 2004, at 10:41 PM, Andrew Barton wrote:
Hi Robert,
Your understanding is the same as mine. But, the security question you pose
is interesting. I wonder if it would be possible to change your session ID
and access someone else's session. Depending on the application, this could
be a security risk.
I'll have to look into that...
Andy
On 2/19/04 8:55 PM, "Robert Zeigler" <[EMAIL PROTECTED]> wrote:
Recently, somebody proposed an interesting question to me which, though
I'm pretty sure I know the answer, I've been unable to verify.
So, I decided to turn here to see if someone with more wisdom than I had
an answer. ;)
My understanding of HttpSessions is that, unless you specifically write
something to a cookie, the only thing stored on the client side is the
sessionID (either via a cookie or via URL rewriting). However, if I do a
session.setAttribute("someattr",someobject), that object is simply
stored (typically in memory, though not necessarily) server side,
available in the web application context.
Correct so far?
In other words, session "attributes" are not directly editable client
side... right? I mean, this makes complete sense to me, as the client in
a web app really doesn't give a hoot about foo or bar, it just wants
html. However, someone made a claim to me recently that some information
stored as a session attribute could be alterred directly by the user,
client side, and therefore posed a security risk to a particular
application.
Any thoughts?
Thanks for the help on this... I've looked over the javadocs, etc., and
while they don't say anything to negate my viewpoint, they also don't
say anything specifically to validate it.
Robert
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Andrew Barton eBlox, Inc.
520.903.2541 x102 voice 520.903.2542 fax
Discover storeBlox and webBlox at the new eBlox.com! http://www.eblox.com mailto:[EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
