Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/21/2010 12:42 AM, Yawar Khan wrote: chris, i had a look at container managed authentication and its quite handy. but i couldnt see how i can add extra functionality like calling an encryption function on password text field before tomcat does its authentication on it. It's built-in. As long as you just want to do a simple hash of the user's password (like MD5, SHA-256, etc.), you should be good to go. Unfortunately, Tomcat does not currently support any salting of the password before hashing. for js, my client side authentication is done on form submit button click event, if the hackers do disable javascripts, how will my html form be submitted? You don't even need a page in order to submit a form to a web server. You can use 'wget' from the command-line to synthesize a request if you're lazy. If you're determined, you can write your own client that feeds everything to the web server and acts just like a web browser. however, i will add some server side validation as well, i agree thats important. I should say so. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx1KEUACgkQ9CaO5/Lv0PCBnwCfahxtdo7urHBQluUyZcq7JyeQ nqUAn02+e1+nw3LfBh/6zRwT3667ngIn =GU9r -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Felix, the issue still persists, i dont know what else to do? and i dont know
why this issue is popping up on linux enviroment only. under windows there is
no
session mixup issue.
Now this are no class wide variables and i had moved them inside the login
function.
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 6:07:18 PM
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Khan khanya...@yahoo.com schrieb:
thanks felix, very nicely explained!
but do you think that declaring connection and rs variables outside the login
function is causing the sessions mixup issue?
Yes. But I think it is not messing with sessions, but rather messing with the
values of your user beans.
Hth
Felix
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 4:13:52 PM
Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
This seems to be really problematic. Having ResultSet and Connection
shared by many users is a bad idea.
Imagine what happens when two requests come in at the same time:
Request A Request B
login(beanA)
|
currentCon=new Connection()
| login(beanB)
| |
| currentCon=new Connection() # BOOM you are
overwriting the class wide variable currentCon.
Same thing can happen to rs too. So better place currentCon and rs as
method variables inside of login.
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
I find it very useful to use a logging framework for reporting errors.
And adding information about the state in which the error occured might
help finding the root cause more easily.
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION
a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
If your are using prepared Statements with parameters, you don't have to
worry, if someone has forgotten to check those parameters for
sql-injection. But you were told so already.
Bye
Felix
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Mon, 23 Aug 2010 01:56:31 -0700 (PDT), Yawar Khan khanya...@yahoo.com
wrote:
Felix, the issue still persists, i dont know what else to do? and i dont
know
why this issue is popping up on linux enviroment only. under windows
there
is no
session mixup issue.
Well, you have fixed one problem in your code, but maybe there are more
lurking inside your other classes. We haven't seen the code for
passwordservices.getInstance().encrypt(password) for example.
connectionmanager.scgm_conn() seems to be your own implementation as
well. You should look at all your classes and look for scope mistakes.
Always think about what could happen, if this particular code block would
be visited by two different requests at the same time.
If I remember correctly you had problems getting your source code to linux
because of case sensitivity. Are the code bases for linux and windows the
same now, or do they differ with respect to case and package and class
names? If so, you should try to get the source code to linux without
loosing case sensitivity.
To help you further, we need more infos.
Bye
Felix
Now this are no class wide variables and i had moved them inside the
login
function.
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 6:07:18 PM
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Khan khanya...@yahoo.com schrieb:
thanks felix, very nicely explained!
but do you think that declaring connection and rs variables outside the
login
function is causing the sessions mixup issue?
Yes. But I think it is not messing with sessions, but rather messing
with
the
values of your user beans.
Hth
Felix
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 4:13:52 PM
Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
Chris, you identified a possible sql injection in my code and
declaring
it a
very bad piece of code. Despite the fact that jdbc does not allow more
than 1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would
like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what
will happen
in case udac.login throws an exception, well exception handling is
inside this
class. Sorry but i missed that email so i am unable to name that
gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
This seems to be really problematic. Having ResultSet and Connection
shared by many users is a bad idea.
Imagine what happens when two requests come in at the same time:
Request A Request B
login(beanA)
|
currentCon=new Connection()
| login(beanB)
| |
| currentCon=new Connection() # BOOM you are
overwriting the class wide variable currentCon.
Same thing can happen to rs too. So better place currentCon and rs as
method variables inside of login.
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass =
passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to
ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
I find it very useful to use a logging framework for reporting errors.
And adding information about the state in which the error occured might
help finding the root cause more easily.
}
String searchQuery = SELECT a.USER_ID,a.NAME,
a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM
LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) =
LOWER('+ userid
+ ') AND a.PASSWORD = '+epass+';
If your are using prepared Statements with parameters, you don't have to
worry, if someone has forgotten to check those parameters
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Khan wrote: Felix, the issue still persists, i dont know what else to do? and i dont know why this issue is popping up on linux enviroment only. under windows there is no session mixup issue. Now this are no class wide variables and i had moved them inside the login function. Hi. This thread is already very long, and I think that by now most people have lost the ability to folllow what is really going on. Let me summarise and give you a few tips : 1) start again, clean : first, update your Tomcat (on both platforms) to the latest 6.0 release, which is 6.0.29. That should not take long, if you just downloaded and installed the standard version from http://tomcat.apache.org, as you mentioned. Then, make sure that your latest application code is exactly the same on both platforms. Then test again, and see if you still have the problem. 2) it seems that, whatever your problem is, people here are of the general opinion that it is due to something in your code, not in the Tomcat code. Some people have already pointed out some apparent mistakes in your code, and you say that you have corrected them. But now the situation may have become confused as to which code you are exactly running on the two platforms. The people who answer on this list do it on their own time. They focus mainly on answering questions about the released Tomcat code, and about Tomcat configuration. They are less willing generally to invest a lot of time scrutinising and debugging your application code. For that, you should use some other help. 3) the fact that you say that the problem does not occur under Windows, and does occur under Linux, is not a proof that something is wrong with Tomcat/Linux. The Tomcat java code is the same in both cases. What differs is the Java JVM under which it runs, but even that is supposed to hide the differences to the Java applications (of which Tomcat is one). But there can be so many other differences in the architecture and in your setup between these two platforms, that a problem in your code can easily show up in one case, and not in the other. People here do not have your setup, so they cannot determine these differences and find out how they might or not contribute to the issue. 4) If you think nevertheless that it has something to do with an error in Tomcat itself, (which is still possible, nothing is ever perfect) then instead of posting a bunch of application code and asking people to debug it, you could invest some time in adding a lot of debugging log messages in your code, and try to spot yourself where the mixup occurs. Make sure to add some information that allows to determine if two or more simultaneous threads or sessions are stepping on eachother's data. If through that you can clearly see where the mixup occurs, and it does not appear to be the result of a logic error in your own code, then post here some clear information showing the problem. Then, start a new thread here, with a new subject. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote:
Chris, you identified a possible sql injection in my code and declaring it
a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Javascript / ECMAScript and any client side scripting are completely
by-passable and offer no security.
http://www.xs4all.nl/~sbpoley/webmatters/formval.html
So field validation doesn't help you. Also anyone can post to your servlets.
Are you using bindings for your SQL? I see security holes here but don't
have time for a usecase.
Is there another genuine threat or bug that you identified and would like
to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM
LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
try{
//connect to DB: connectionmanager is a class which
contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered
user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, August 20, 2010 3:43 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wesley,
On 8/19/2010 5:04 PM, Wesley Acheson wrote:
Maybe its just be but I still don't see where uadc is declared or even
imported.
...or even used.
I'm guessing that the bad code
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
On 21/08/2010 05:42, Yawar Khan wrote: chris, i had a look at container managed authentication and its quite handy. but i couldnt see how i can add extra functionality like calling an encryption function on password text field before tomcat does its authentication on it. The Tomcat Documentation is an excellent resource and is worth the time you'll spend reading it. See the 'digest' attribute of the DataSourceRealm. (You are using a DataSource, aren't you?) http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html#Standard_Implementation for js, my client side authentication is done on form submit button click event, if the hackers do disable javascripts, how will my html form be submitted? By pushing the button? By constructing a URL and posting to it using a non-browser script in an automated attack client? however, i will add some server side validation as well, i agree thats important. Don't bother, just use the container auth. That way you don't have to worry about SQL injection attacks, because the SQL isn't poorly cobbled together using String concatenation. p -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:41 AM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, August 20, 2010 3:43 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wesley,
On 8/19/2010 5:04 PM, Wesley Acheson wrote:
Maybe its just be but I still don't see where uadc is declared or even
imported.
...or even used.
I'm guessing that the bad code exists outside of this login servlet.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH
NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm
=DR0I
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
wesley, no i am not using sql bindings, what are the security holes?
you havent told me why my sessions are getting mixed up here?
From: Wesley Acheson wesley.ache...@gmail.com
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 3:16:23 PM
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote:
Chris, you identified a possible sql injection in my code and declaring it
a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Javascript / ECMAScript and any client side scripting are completely
by-passable and offer no security.
http://www.xs4all.nl/~sbpoley/webmatters/formval.html
So field validation doesn't help you. Also anyone can post to your servlets.
Are you using bindings for your SQL? I see security holes here but don't
have time for a usecase.
Is there another genuine threat or bug that you identified and would like
to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM
LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
try{
//connect to DB: connectionmanager is a class which
contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered
user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, August 20, 2010 3:43 AM
To: Tomcat Users List
Subject
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On 21/08/2010 13:04, Yawar Khan wrote:
wesley, no i am not using sql bindings, what are the security holes?
you havent told me why my sessions are getting mixed up here?
Felix has.
p
From: Wesley Acheson wesley.ache...@gmail.com
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 3:16:23 PM
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote:
Chris, you identified a possible sql injection in my code and declaring it
a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Javascript / ECMAScript and any client side scripting are completely
by-passable and offer no security.
http://www.xs4all.nl/~sbpoley/webmatters/formval.html
So field validation doesn't help you. Also anyone can post to your servlets.
Are you using bindings for your SQL? I see security holes here but don't
have time for a usecase.
Is there another genuine threat or bug that you identified and would like
to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM
LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
try{
//connect to DB: connectionmanager is a class which
contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered
user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
thanks felix, very nicely explained!
but do you think that declaring connection and rs variables outside the login
function is causing the sessions mixup issue?
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 4:13:52 PM
Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than 1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
This seems to be really problematic. Having ResultSet and Connection
shared by many users is a bad idea.
Imagine what happens when two requests come in at the same time:
Request A Request B
login(beanA)
|
currentCon=new Connection()
| login(beanB)
| |
| currentCon=new Connection() # BOOM you are
overwriting the class wide variable currentCon.
Same thing can happen to rs too. So better place currentCon and rs as
method variables inside of login.
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
I find it very useful to use a logging framework for reporting errors.
And adding information about the state in which the error occured might
help finding the root cause more easily.
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION
a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
If your are using prepared Statements with parameters, you don't have to
worry, if someone has forgotten to check those parameters for
sql-injection. But you were told so already.
Bye
Felix
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Khan khanya...@yahoo.com schrieb:
thanks felix, very nicely explained!
but do you think that declaring connection and rs variables outside the login
function is causing the sessions mixup issue?
Yes. But I think it is not messing with sessions, but rather messing with the
values of your user beans.
Hth
Felix
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 4:13:52 PM
Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
This seems to be really problematic. Having ResultSet and Connection
shared by many users is a bad idea.
Imagine what happens when two requests come in at the same time:
Request A Request B
login(beanA)
|
currentCon=new Connection()
| login(beanB)
| |
| currentCon=new Connection() # BOOM you are
overwriting the class wide variable currentCon.
Same thing can happen to rs too. So better place currentCon and rs as
method variables inside of login.
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
I find it very useful to use a logging framework for reporting errors.
And adding information about the state in which the error occured might
help finding the root cause more easily.
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION
a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
If your are using prepared Statements with parameters, you don't have to
worry, if someone has forgotten to check those parameters for
sql-injection. But you were told so already.
Bye
Felix
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On 19/08/2010 23:42, Christopher Schultz wrote: Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: Maybe its just be but I still don't see where uadc is declared or even imported. ...or even used. I'm guessing that the bad code exists outside of this login servlet. s/the bad/more bad/g The OP has, unfortunately, not employed the usual letter-case based naming conventions, making the process of establishing the difference between a local variable and say, a static class, nigh on impossible. Having said that, my guess would be that 'udac' is the latter. @OP What happens if udac throws an exception? p -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
chris, i had a look at container managed authentication and its quite handy. but i couldnt see how i can add extra functionality like calling an encryption function on password text field before tomcat does its authentication on it. for js, my client side authentication is done on form submit button click event, if the hackers do disable javascripts, how will my html form be submitted? however, i will add some server side validation as well, i agree thats important. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:41 AM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtsuYACgkQ9CaO5/Lv0PBOsQCgnldndPM7po8wlgYUq6k/QDT3 1mAAoKo/47GXpG4dIEfRNpkZnX/SSveb =zrJ+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Hi, i have been trying to post emails on this list but getting
mailerdeamon replies that only subscribers can post. i dont know what happened
thereso i subscribed my other email address
ok now for the topic at hand,
Wesly, udac is a public class which exists in the same package and login is a
static function. I think that much is pretty obvious. I had proper naming
conventions but when i moved my source code to linux, my
entire files names were
changed to lower case, and the application could not find the classes and jsp
files. i didnt know any other way(and didnt have any time for RnD) so i changed
the names of classes and jsp files to lower. any ways, my original topic is
sessions mix up, do you see any relevance of sessions in udac class? sessions
are getting created in loginmanager.
-Original Message-
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Friday, August 20, 2010 2:05 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Maybe its just be but I still don't see where uadc is declared or even
imported.
On Thu, Aug 19, 2010 at 10:26 PM, Yawar Saeed Khan/ITG/Karachi
yawar.sa...@mcb.com.pk wrote:
yea I did attach a .java file, anyways I am posting the code here;
package org.mcb.services;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
*
* @author yawar.saeed
*/
public class loginmanager extends HttpServlet {
protected void processRequest(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType(text/html;charset=iso-8859-1);
PrintWriter out = response.getWriter();
try {
userbean user = new userbean();
user.setUserId(request.getParameter(txt_userid));
user.setPassword(request.getParameter(txt_pass));
user = udac.login(user);
if (user.isValid()){
HttpSession session = request.getSession(true);
session.setAttribute(user_id,user.getUserId());
session.setAttribute(user_name,user.getName());
session.setAttribute(role_id,user.getRole());
session.setAttribute(role_desc, user.getRoleDesc());
session.setAttribute(last_login, user.getLastLogin());
//response.sendRedirect(main.jsp); //logged-in page
response.sendRedirect(response.encodeRedirectURL(main.jsp));
}else{
// response.sendRedirect(index.jsp?user=+user.isValid());
//revert back to login page
response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid()));
//revert back to login page
}
} finally {
out.close();
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
processRequest(request, response);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
processRequest(request, response);
}
}
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Fri 20-Aug-10 1:56 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Sorry can't see it. Are you sure you attached it? you could use something
like pastebin if the mail list does accept attachments
On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi
yawar.sa...@mcb.com.pk wrote:
source code is attached;
suggestions are welcome.
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Fri 20-Aug-10 12:38 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Okay I've a little tehory could you post the entire code for
loginmanager.
How is udac declared? If its a class variable then *ITS NOT THREAD
SAFE*.
As a basic rule don't declare class variables in a servlet (There are
exceptions to this rule but you shouldn't under normal circumstances)
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than 1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will happen
in case udac.login throws an exception, well exception handling is inside this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred! +
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, August 20, 2010 3:43 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wesley,
On 8/19/2010 5:04 PM, Wesley Acheson wrote:
Maybe its just be but I still don't see where uadc is declared or even
imported.
...or even used.
I'm guessing that the bad code exists outside of this login servlet.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH
NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm
=DR0I
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h
Sessions mix-up on Tomcat 6.0.26 on Linux
Hi, I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. The menu options sometime show of previously logged users, sometimes currently logged user's. For example, session.getAttribute(role_id) sometime retrieves 3 and sometimes 1 depending on previous values. please help! Yawar S. Khan Senior Manager - Business Applications Information Technology Group (Karachi) yawar.sa...@mcb.com.pk mailto:yawar.sa...@mcb.com.pk SST: 021-5656723 Cell: 0334-3752196 Success is a Journey, not a Destination... This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions.
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Saeed Khan/ITG/Karachi wrote: Hi, I have developed a web application using jsp and servlets with oracle database. and with Tomcat also ? The application is working fine on windows, Windows version, JVM version, tomcat version ? but the problem arises when we deploy it on Linux(64bit), Linux version, JVM version, tomcat version ? we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. The menu options sometime show of previously logged users, sometimes currently logged user's. For example, session.getAttribute(role_id) sometime retrieves 3 and sometimes 1 depending on previous values. Have you watched the JSESSIONID cookie in the browser after the different steps ? The JSESSIONID cookie value contains (or should contain) the session-id for your current session. This value should not change during the whole user session. Does it ? What about differences in configuration between Windows and Linux ? Are you doing any kind of load-balancing in one case and not in the other ? Is there anything (proxy, firewall, load-balancer, http server, ..) between the browser and the tomcat server ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Thu, 2010-08-19 at 12:45 +0200, André Warnier wrote: Yawar Saeed Khan/ITG/Karachi wrote: Hi, I have developed a web application using jsp and servlets with oracle database. and with Tomcat also ? Look in the subject line. :) The application is working fine on windows, Windows version, JVM version, tomcat version ? but the problem arises when we deploy it on Linux(64bit), Linux version, JVM version, tomcat version ? Look in the subject line. :) we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. The menu options sometime show of previously logged users, sometimes currently logged user's. For example, session.getAttribute(role_id) sometime retrieves 3 and sometimes 1 depending on previous values. Have you watched the JSESSIONID cookie in the browser after the different steps ? The JSESSIONID cookie value contains (or should contain) the session-id for your current session. This value should not change during the whole user session. Does it ? What about differences in configuration between Windows and Linux ? Are you doing any kind of load-balancing in one case and not in the other ? Is there anything (proxy, firewall, load-balancer, http server, ..) between the browser and the tomcat server ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Ben Souther wrote: On Thu, 2010-08-19 at 12:45 +0200, André Warnier wrote: Yawar Saeed Khan/ITG/Karachi wrote: Hi, I have developed a web application using jsp and servlets with oracle database. and with Tomcat also ? Look in the subject line. :) Ok, I overlooked the subject line (*). Mea culpa. However, a raly long experience with problem reports tells me that when someone says : it is just the same, only the OS changes or I did not change anything, in the end it never turns out that way. So my questions remain, despite the subject line. Basically, by asking these questions (and asking them over and over again), the purpose is not to bother the OP. The purpose is to try to delimit the issue properly from the start, rather than having to spend 10 back-and-forth messages to do so. Clearly in this case, if all elements were identical except for the OS, this kind of issue would not happen. Ergo, there must be something else than the OS involved. I am just trying to find out what it is, and maybe in the process get the OP to figure it out too. (*) Maybe it was because it did not have a HELP!! or ASAP or tomcat does not work in it. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On 19/08/2010 14:02, Caldarale, Charles R wrote: Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. +1 Odds on the session or request is being stored in an instance field in a servlet somewhere. p - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Chuck, what you say makes sense but I check the behavior on windows. the problem is in Linux environment only. I would imagine that tomcat configuration might be different on both machines, but have no clue abt configuring tomcat. (maybe session cache issue?) I just installed tomcat 6.0.26 on both machines with default configurations. From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Thu 19-Aug-10 7:02 PM To: Tomcat Users List Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Ok, let me share my source code with you...
my index.jsp page has a html form which submits the form data to a servlet
called loginmanager.
this is the code inside doPost function;
try {
userbean user = new userbean(); // usebean is a class the has
setter and getter functions for user attributes
user.setUserId(request.getParameter(txt_userid));
user.setPassword(request.getParameter(txt_pass));
user = udac.login(user); //udac is a class that has data access
functions, login function takes user object and checks its existence in db and
sets isValid attribute for that user
if (user.isValid()){
HttpSession session = request.getSession(true);
session.setAttribute(user_id,user.getUserId());
session.setAttribute(user_name,user.getName());
session.setAttribute(role_id,user.getRole());
session.setAttribute(role_desc, user.getRoleDesc());
session.setAttribute(last_login, user.getLastLogin());
response.sendRedirect(main.jsp); //logged-in page
}else{
response.sendRedirect(index.jsp?user=+user.isValid());
//revert back to login page
}
} finally {
out.close();
}
Previously i had tried a simple way; my index.jsp file called itself on form
submit, below code was in index.jsp (no servlet etc);
//after form is submitted
String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD,
a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b
WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
query = query + AND LOWER(a.USER_ID) = LOWER('+
request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +';
boolean hasdata=false;
java.sql.ResultSet rs = connection.executeQuery(query);
while(rs.next()) {
hasdata=true;
session.setAttribute(user_id,rs.getString(USER_ID));
session.setAttribute(user_name,rs.getString(NAME));
session.setAttribute(branch_code,rs.getString(BRANCH_CODE));
session.setAttribute(role_id,rs.getString(ROLE_ID));
session.setAttribute(role_desc,rs.getString(ROLE_DESC));
session.setAttribute(last_login,rs.getString(LAST_LOGIN_DATE));
upsql = UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE
WHERE USER_ID = '+ rs.getString(USER_ID) +';
int up = connection.executeUpdate(UPDATE LOGIN_INFORMATION SET
LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +');
int audit_insrt = InsertAuditEntry(F001, (String)
session.getAttribute(user_id), (String) session.getAttribute(branch_code));
response.sendRedirect(main.jsp);
//out.println(Logged in);
}
behaviour is same in both cases. thanks!
From: Pid [mailto:p...@pidster.com]
Sent: Thu 19-Aug-10 9:03 PM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On 19/08/2010 14:02, Caldarale, Charles R wrote:
Yawar Saeed Khan/ITG/Karachi wrote:
I have developed a web application using jsp and servlets with
oracle database.
The application is working fine on windows,
Or at least running on that platform hasn't uncovered the latent bugs in your
webapp.
but the problem arises when we deploy it on Linux(64bit),
we get session issues in the application.
The session variables get mixed up and we can see previously
logged user's profile page.
This happens frequently for applications that misuse scope, doing such things
as storing the request or response object in the session or some ThreadLocal
field. It has never been shown to be an issue in a stable version of Tomcat.
+1
Odds on the session or request is being stored in an instance field in a
servlet somewhere.
p
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
This E-mail is confidential. It may also be legally privileged. If you are not
the addressee you may not copy, forward, disclose or use any part of it. If you
have received this message in error, please delete it and all copies from your
system and notify the sender immediately by return E-mail. Internet
communications cannot be guaranteed to be timely, secure, error or virus-free.
MCB Bank does not accept liability for any errors or omissions.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
2010/8/19 Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk: Ok, let me share my source code with you... HttpSession session = request.getSession(true); response.sendRedirect(main.jsp); //logged-in page See documentation on HttpServletResponse.encodeRedirectURL( ) method. It must be used here. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Konstantin, it seems that I will have to use HttpServletResponse.encodeRedirectURL( ) in every hyperlink ? will that solve my sessions problem? From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Thu 19-Aug-10 10:00 PM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux 2010/8/19 Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk: Ok, let me share my source code with you... HttpSession session = request.getSession(true); response.sendRedirect(main.jsp); //logged-in page See documentation on HttpServletResponse.encodeRedirectURL( ) method. It must be used here. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yawar,
I'm marking this as off-topic for /your/ request. I just have some
comments for you. Take them or leave them.
On 8/19/2010 11:53 AM, Yawar Saeed Khan/ITG/Karachi wrote:
Ok, let me share my source code with you...
my index.jsp page has a html form which submits the form data to a servlet
called loginmanager.
this is the code inside doPost function;
try {
userbean user = new userbean(); // usebean is a class the has
setter and getter functions for user attributes
user.setUserId(request.getParameter(txt_userid));
user.setPassword(request.getParameter(txt_pass));
user = udac.login(user); //udac is a class that has data access
functions, login function takes user object and checks its existence in db
and sets isValid attribute for that user
Not using Tomcat's container-managed login? Any particular reason why
not? It's quite easy to configure and has the added benefit of being
properly tested.
if (user.isValid()){
HttpSession session = request.getSession(true);
session.setAttribute(user_id,user.getUserId());
session.setAttribute(user_name,user.getName());
session.setAttribute(role_id,user.getRole());
session.setAttribute(role_desc, user.getRoleDesc());
session.setAttribute(last_login, user.getLastLogin());
Why not session.setAttribute(user, user)?
response.sendRedirect(main.jsp); //logged-in page
That should be:
response.sendRedirect(request.getContextPath()
+ response.encodeRedirectURL(/main.jsp));
}else{
response.sendRedirect(index.jsp?user=+user.isValid());
//revert back to login page
That should be:
response.sendRedirect(request.getContextPath()
+ response.encodeRedirectURL(/main.jsp)
+ ?user=
+ java.net.URLEncoder.encode(user.isValid()));
It always helps to format and encode things properly.
}
} finally {
out.close();
}
What is out?
Previously i had tried a simple way; my index.jsp file called itself on form
submit, below code was in index.jsp (no servlet etc);
//after form is submitted
String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD,
a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b
WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
query = query + AND LOWER(a.USER_ID) = LOWER('+
request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +';
boolean hasdata=false;
java.sql.ResultSet rs = connection.executeQuery(query);
Wow: this is a SQL injection attack just waiting to happen. What happens
if I submit the txt_userid request parameter as ') OR 1; or, even
better, '); DELETE FROM LOGIN_INFORMATION; or some other evil thing?
I believe that certain JDBC drivers will not execute more than one query
per executeQuery() call, but you can't really count on that. It's easy
to use a PreparedStatement and just do it properly: poof! SQL injection
attacks are a thing of the past (unless the driver is broken, but they
test those things very well).
Also, most SQL databases perform case-insensitive string comparisons, so
your LOWER(a.USER_ID) = LOWER(...) can probably be simplified. Note that
it also means you likely have case-insensitive passwords (though you
haven't shown us what epass is -- is could have been hashed.
while(rs.next()) {
hasdata=true;
session.setAttribute(user_id,rs.getString(USER_ID));
session.setAttribute(user_name,rs.getString(NAME));
session.setAttribute(branch_code,rs.getString(BRANCH_CODE));
session.setAttribute(role_id,rs.getString(ROLE_ID));
session.setAttribute(role_desc,rs.getString(ROLE_DESC));
session.setAttribute(last_login,rs.getString(LAST_LOGIN_DATE));
upsql = UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE
WHERE USER_ID = '+ rs.getString(USER_ID) +';
int up = connection.executeUpdate(UPDATE LOGIN_INFORMATION SET
LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +');
int audit_insrt = InsertAuditEntry(F001, (String)
session.getAttribute(user_id), (String)
session.getAttribute(branch_code));
response.sendRedirect(main.jsp);
How many redirects do you end up sending? Hopefully, only one. But this
code is bad, bad, bad. It makes me wonder what other nuggets can be
found in your code.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxtY30ACgkQ9CaO5/Lv0PA1pgCcDe1cNVlaqRNlWAbyQVybng4X
OpUAn3ab9KDdsYvVGYzQmoeB871SgUqp
=eEX2
-END PGP
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 11:28 AM, Yawar Saeed Khan/ITG/Karachi wrote: Chuck, what you say makes sense but I check the behavior on windows. the problem is in Linux environment only. I would imagine that tomcat configuration might be different on both machines, but have no clue abt configuring tomcat. (maybe session cache issue?) I just installed tomcat 6.0.26 on both machines with default configurations. You didn't mention if Windows was 32-bit or 64-bit. Are we talking about the same hardware? Equivalent hardware? What about number of cores? Sometimes, these things don't expose themselves unless true simultaneity is possible -- which requires more than one processor core. Isn't non-determinism fun? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtZGYACgkQ9CaO5/Lv0PA3WwCeM0hqKcQTuA1gta0976o0uvm8 pE8AniQ4sbF9+KDAToJiQD4jc0zHuglw =kqi+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
On 8/19/2010 11:28 AM, Yawar Saeed Khan/ITG/Karachi wrote: Chuck, what you say makes sense but I check the behavior on windows. All that says to me is that your testing environment on Windows is inadequate. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances)
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
thanks for your constructive comments, as I mentioned that bad, bad, bad code
is out. no longer in the application...
your comments on my current code tells me that this code is not bad, but I
should check out tomcat's container managed logins... right?
plus I would like to mention that I have client side form validations (js) to
stop query busters.
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Thu 19-Aug-10 11:01 PM
To: Tomcat Users List
Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yawar,
I'm marking this as off-topic for /your/ request. I just have some
comments for you. Take them or leave them.
On 8/19/2010 11:53 AM, Yawar Saeed Khan/ITG/Karachi wrote:
Ok, let me share my source code with you...
my index.jsp page has a html form which submits the form data to a servlet
called loginmanager.
this is the code inside doPost function;
try {
userbean user = new userbean(); // usebean is a class the has
setter and getter functions for user attributes
user.setUserId(request.getParameter(txt_userid));
user.setPassword(request.getParameter(txt_pass));
user = udac.login(user); //udac is a class that has data access
functions, login function takes user object and checks its existence in db
and sets isValid attribute for that user
Not using Tomcat's container-managed login? Any particular reason why
not? It's quite easy to configure and has the added benefit of being
properly tested.
if (user.isValid()){
HttpSession session = request.getSession(true);
session.setAttribute(user_id,user.getUserId());
session.setAttribute(user_name,user.getName());
session.setAttribute(role_id,user.getRole());
session.setAttribute(role_desc, user.getRoleDesc());
session.setAttribute(last_login, user.getLastLogin());
Why not session.setAttribute(user, user)?
response.sendRedirect(main.jsp); //logged-in page
That should be:
response.sendRedirect(request.getContextPath()
+ response.encodeRedirectURL(/main.jsp));
}else{
response.sendRedirect(index.jsp?user=+user.isValid());
//revert back to login page
That should be:
response.sendRedirect(request.getContextPath()
+ response.encodeRedirectURL(/main.jsp)
+ ?user=
+ java.net.URLEncoder.encode(user.isValid()));
It always helps to format and encode things properly.
}
} finally {
out.close();
}
What is out?
Previously i had tried a simple way; my index.jsp file called itself on form
submit, below code was in index.jsp (no servlet etc);
//after form is submitted
String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD,
a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b
WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
query = query + AND LOWER(a.USER_ID) = LOWER('+
request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +';
boolean hasdata=false;
java.sql.ResultSet rs = connection.executeQuery(query);
Wow: this is a SQL injection attack just waiting to happen. What happens
if I submit the txt_userid request parameter as ') OR 1; or, even
better, '); DELETE FROM LOGIN_INFORMATION; or some other evil thing?
I believe that certain JDBC drivers will not execute more than one query
per executeQuery() call, but you can't really count on that. It's easy
to use a PreparedStatement and just do it properly: poof! SQL injection
attacks are a thing of the past (unless the driver is broken, but they
test those things very well).
Also, most SQL databases perform case-insensitive string comparisons, so
your LOWER(a.USER_ID) = LOWER(...) can probably be simplified. Note that
it also means you likely have case-insensitive passwords (though you
haven't shown us what epass is -- is could have been hashed.
while(rs.next()) {
hasdata=true;
session.setAttribute(user_id,rs.getString(USER_ID));
session.setAttribute(user_name,rs.getString(NAME));
session.setAttribute(branch_code,rs.getString(BRANCH_CODE));
session.setAttribute(role_id,rs.getString(ROLE_ID));
session.setAttribute(role_desc,rs.getString(ROLE_DESC));
session.setAttribute(last_login,rs.getString(LAST_LOGIN_DATE));
upsql = UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE
WHERE USER_ID = '+ rs.getString(USER_ID) +';
int up = connection.executeUpdate(UPDATE LOGIN_INFORMATION SET
LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +');
int audit_insrt = InsertAuditEntry(F001
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Sorry can't see it. Are you sure you attached it? you could use something like pastebin if the mail list does accept attachments On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
Client side validation is for convenience and user feedback. Server side
validation is still required. Nothing requires a user to use a browser, or to
not use extension like Fiddle or Tamper to play with the information once it's
passed your validation scripts.
. . . just my two cents.
/mde/
- Original Message
From: Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk
To: Tomcat Users List users@tomcat.apache.org
Sent: Thu, August 19, 2010 12:27:08 PM
Subject: RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
thanks for your constructive comments, as I mentioned that bad, bad, bad code
is out. no longer in the application...
your comments on my current code tells me that this code is not bad, but I
should check out tomcat's container managed logins... right?
plus I would like to mention that I have client side form validations (js) to
stop query busters.
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Thu 19-Aug-10 11:01 PM
To: Tomcat Users List
Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yawar,
I'm marking this as off-topic for /your/ request. I just have some
comments for you. Take them or leave them.
On 8/19/2010 11:53 AM, Yawar Saeed Khan/ITG/Karachi wrote:
Ok, let me share my source code with you...
my index.jsp page has a html form which submits the form data to a servlet
called loginmanager.
this is the code inside doPost function;
try {
userbean user = new userbean(); // usebean is a class the has
setter and getter functions for user attributes
user.setUserId(request.getParameter(txt_userid));
user.setPassword(request.getParameter(txt_pass));
user = udac.login(user); //udac is a class that has data access
functions, login function takes user object and checks its existence in db and
sets isValid attribute for that user
Not using Tomcat's container-managed login? Any particular reason why
not? It's quite easy to configure and has the added benefit of being
properly tested.
if (user.isValid()){
HttpSession session = request.getSession(true);
session.setAttribute(user_id,user.getUserId());
session.setAttribute(user_name,user.getName());
session.setAttribute(role_id,user.getRole());
session.setAttribute(role_desc, user.getRoleDesc());
session.setAttribute(last_login, user.getLastLogin());
Why not session.setAttribute(user, user)?
response.sendRedirect(main.jsp); //logged-in page
That should be:
response.sendRedirect(request.getContextPath()
+ response.encodeRedirectURL(/main.jsp));
}else{
response.sendRedirect(index.jsp?user=+user.isValid());
//revert back to login page
That should be:
response.sendRedirect(request.getContextPath()
+ response.encodeRedirectURL(/main.jsp)
+ ?user=
+ java.net.URLEncoder.encode(user.isValid()));
It always helps to format and encode things properly.
}
} finally {
out.close();
}
What is out?
Previously i had tried a simple way; my index.jsp file called itself on form
submit, below code was in index.jsp (no servlet etc);
//after form is submitted
String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD,
a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b
WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
query = query + AND LOWER(a.USER_ID) = LOWER('+
request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +';
boolean hasdata=false;
java.sql.ResultSet rs = connection.executeQuery(query);
Wow: this is a SQL injection attack just waiting to happen. What happens
if I submit the txt_userid request parameter as ') OR 1; or, even
better, '); DELETE FROM LOGIN_INFORMATION; or some other evil thing?
I believe that certain JDBC drivers will not execute more than one query
per executeQuery() call, but you can't really count on that. It's easy
to use a PreparedStatement and just do it properly: poof! SQL injection
attacks are a thing of the past (unless the driver is broken, but they
test those things very well).
Also, most SQL databases perform case-insensitive string comparisons, so
your LOWER(a.USER_ID) = LOWER(...) can probably be simplified. Note that
it also means you likely have case-insensitive passwords (though you
haven't shown us what epass is -- is could have been hashed.
while(rs.next()) {
hasdata=true;
session.setAttribute(user_id,rs.getString(USER_ID));
session.setAttribute(user_name,rs.getString(NAME));
session.setAttribute(branch_code,rs.getString(BRANCH_CODE
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
yea I did attach a .java file, anyways I am posting the code here;
package org.mcb.services;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
*
* @author yawar.saeed
*/
public class loginmanager extends HttpServlet {
protected void processRequest(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType(text/html;charset=iso-8859-1);
PrintWriter out = response.getWriter();
try {
userbean user = new userbean();
user.setUserId(request.getParameter(txt_userid));
user.setPassword(request.getParameter(txt_pass));
user = udac.login(user);
if (user.isValid()){
HttpSession session = request.getSession(true);
session.setAttribute(user_id,user.getUserId());
session.setAttribute(user_name,user.getName());
session.setAttribute(role_id,user.getRole());
session.setAttribute(role_desc, user.getRoleDesc());
session.setAttribute(last_login, user.getLastLogin());
//response.sendRedirect(main.jsp); //logged-in page
response.sendRedirect(response.encodeRedirectURL(main.jsp));
}else{
// response.sendRedirect(index.jsp?user=+user.isValid());
//revert back to login page
response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid()));
//revert back to login page
}
} finally {
out.close();
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
processRequest(request, response);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
processRequest(request, response);
}
}
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Fri 20-Aug-10 1:56 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Sorry can't see it. Are you sure you attached it? you could use something
like pastebin if the mail list does accept attachments
On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi
yawar.sa...@mcb.com.pk wrote:
source code is attached;
suggestions are welcome.
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Fri 20-Aug-10 12:38 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Okay I've a little tehory could you post the entire code for loginmanager.
How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*.
As a basic rule don't declare class variables in a servlet (There are
exceptions to this rule but you shouldn't under normal circumstances)
This E-mail is confidential. It may also be legally privileged. If you are
not the addressee you may not copy, forward, disclose or use any part of it.
If you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return E-mail.
Internet communications cannot be guaranteed to be timely, secure, error or
virus-free. MCB Bank does not accept liability for any errors or omissions.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
This E-mail is confidential. It may also be legally privileged. If you are not
the addressee you may not copy, forward, disclose or use any part of it. If you
have received this message in error, please delete it and all copies from your
system and notify the sender immediately by return E-mail. Internet
communications cannot be guaranteed to be timely, secure, error or virus-free.
MCB Bank does not accept liability for any errors or omissions.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Maybe its just be but I still don't see where uadc is declared or even
imported.
On Thu, Aug 19, 2010 at 10:26 PM, Yawar Saeed Khan/ITG/Karachi
yawar.sa...@mcb.com.pk wrote:
yea I did attach a .java file, anyways I am posting the code here;
package org.mcb.services;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
*
* @author yawar.saeed
*/
public class loginmanager extends HttpServlet {
protected void processRequest(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType(text/html;charset=iso-8859-1);
PrintWriter out = response.getWriter();
try {
userbean user = new userbean();
user.setUserId(request.getParameter(txt_userid));
user.setPassword(request.getParameter(txt_pass));
user = udac.login(user);
if (user.isValid()){
HttpSession session = request.getSession(true);
session.setAttribute(user_id,user.getUserId());
session.setAttribute(user_name,user.getName());
session.setAttribute(role_id,user.getRole());
session.setAttribute(role_desc, user.getRoleDesc());
session.setAttribute(last_login, user.getLastLogin());
//response.sendRedirect(main.jsp); //logged-in page
response.sendRedirect(response.encodeRedirectURL(main.jsp));
}else{
// response.sendRedirect(index.jsp?user=+user.isValid());
//revert back to login page
response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid()));
//revert back to login page
}
} finally {
out.close();
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
processRequest(request, response);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
processRequest(request, response);
}
}
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Fri 20-Aug-10 1:56 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Sorry can't see it. Are you sure you attached it? you could use something
like pastebin if the mail list does accept attachments
On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi
yawar.sa...@mcb.com.pk wrote:
source code is attached;
suggestions are welcome.
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Fri 20-Aug-10 12:38 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Okay I've a little tehory could you post the entire code for
loginmanager.
How is udac declared? If its a class variable then *ITS NOT THREAD
SAFE*.
As a basic rule don't declare class variables in a servlet (There are
exceptions to this rule but you shouldn't under normal circumstances)
This E-mail is confidential. It may also be legally privileged. If you
are
not the addressee you may not copy, forward, disclose or use any part of
it.
If you have received this message in error, please delete it and all
copies
from your system and notify the sender immediately by return E-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or
virus-free. MCB Bank does not accept liability for any errors or
omissions.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
This E-mail is confidential. It may also be legally privileged. If you are
not the addressee you may not copy, forward, disclose or use any part of it.
If you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return E-mail.
Internet communications cannot be guaranteed to be timely, secure, error or
virus-free. MCB Bank does not accept liability for any errors or omissions.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtsuYACgkQ9CaO5/Lv0PBOsQCgnldndPM7po8wlgYUq6k/QDT3 1mAAoKo/47GXpG4dIEfRNpkZnX/SSveb =zrJ+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: Maybe its just be but I still don't see where uadc is declared or even imported. ...or even used. I'm guessing that the bad code exists outside of this login servlet. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm =DR0I -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
