Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/21/2010 12:42 AM, Yawar Khan wrote: chris, i had a look at container managed authentication and its quite handy. but i couldnt see how i can add extra functionality like calling an encryption function on password text field before tomcat does its authentication on it. It's built-in. As long as you just want to do a simple hash of the user's password (like MD5, SHA-256, etc.), you should be good to go. Unfortunately, Tomcat does not currently support any salting of the password before hashing. for js, my client side authentication is done on form submit button click event, if the hackers do disable javascripts, how will my html form be submitted? You don't even need a page in order to submit a form to a web server. You can use 'wget' from the command-line to synthesize a request if you're lazy. If you're determined, you can write your own client that feeds everything to the web server and acts just like a web browser. however, i will add some server side validation as well, i agree thats important. I should say so. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx1KEUACgkQ9CaO5/Lv0PCBnwCfahxtdo7urHBQluUyZcq7JyeQ nqUAn02+e1+nw3LfBh/6zRwT3667ngIn =GU9r -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Felix, the issue still persists, i dont know what else to do? and i dont know why this issue is popping up on linux enviroment only. under windows there is no session mixup issue. Now this are no class wide variables and i had moved them inside the login function. From: Felix Schumacher felix.schumac...@internetallee.de To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 6:07:18 PM Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Yawar Khan khanya...@yahoo.com schrieb: thanks felix, very nicely explained! but do you think that declaring connection and rs variables outside the login function is causing the sessions mixup issue? Yes. But I think it is not messing with sessions, but rather messing with the values of your user beans. Hth Felix From: Felix Schumacher felix.schumac...@internetallee.de To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 4:13:52 PM Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; This seems to be really problematic. Having ResultSet and Connection shared by many users is a bad idea. Imagine what happens when two requests come in at the same time: Request A Request B login(beanA) | currentCon=new Connection() | login(beanB) | | | currentCon=new Connection() # BOOM you are overwriting the class wide variable currentCon. Same thing can happen to rs too. So better place currentCon and rs as method variables inside of login. public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); I find it very useful to use a logging framework for reporting errors. And adding information about the state in which the error occured might help finding the root cause more easily. } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; If your are using prepared Statements with parameters, you don't have to worry, if someone has forgotten to check those parameters for sql-injection. But you were told so already. Bye Felix try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Mon, 23 Aug 2010 01:56:31 -0700 (PDT), Yawar Khan khanya...@yahoo.com wrote: Felix, the issue still persists, i dont know what else to do? and i dont know why this issue is popping up on linux enviroment only. under windows there is no session mixup issue. Well, you have fixed one problem in your code, but maybe there are more lurking inside your other classes. We haven't seen the code for passwordservices.getInstance().encrypt(password) for example. connectionmanager.scgm_conn() seems to be your own implementation as well. You should look at all your classes and look for scope mistakes. Always think about what could happen, if this particular code block would be visited by two different requests at the same time. If I remember correctly you had problems getting your source code to linux because of case sensitivity. Are the code bases for linux and windows the same now, or do they differ with respect to case and package and class names? If so, you should try to get the source code to linux without loosing case sensitivity. To help you further, we need more infos. Bye Felix Now this are no class wide variables and i had moved them inside the login function. From: Felix Schumacher felix.schumac...@internetallee.de To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 6:07:18 PM Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Yawar Khan khanya...@yahoo.com schrieb: thanks felix, very nicely explained! but do you think that declaring connection and rs variables outside the login function is causing the sessions mixup issue? Yes. But I think it is not messing with sessions, but rather messing with the values of your user beans. Hth Felix From: Felix Schumacher felix.schumac...@internetallee.de To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 4:13:52 PM Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; This seems to be really problematic. Having ResultSet and Connection shared by many users is a bad idea. Imagine what happens when two requests come in at the same time: Request A Request B login(beanA) | currentCon=new Connection() | login(beanB) | | | currentCon=new Connection() # BOOM you are overwriting the class wide variable currentCon. Same thing can happen to rs too. So better place currentCon and rs as method variables inside of login. public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); I find it very useful to use a logging framework for reporting errors. And adding information about the state in which the error occured might help finding the root cause more easily. } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; If your are using prepared Statements with parameters, you don't have to worry, if someone has forgotten to check those parameters
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Khan wrote: Felix, the issue still persists, i dont know what else to do? and i dont know why this issue is popping up on linux enviroment only. under windows there is no session mixup issue. Now this are no class wide variables and i had moved them inside the login function. Hi. This thread is already very long, and I think that by now most people have lost the ability to folllow what is really going on. Let me summarise and give you a few tips : 1) start again, clean : first, update your Tomcat (on both platforms) to the latest 6.0 release, which is 6.0.29. That should not take long, if you just downloaded and installed the standard version from http://tomcat.apache.org, as you mentioned. Then, make sure that your latest application code is exactly the same on both platforms. Then test again, and see if you still have the problem. 2) it seems that, whatever your problem is, people here are of the general opinion that it is due to something in your code, not in the Tomcat code. Some people have already pointed out some apparent mistakes in your code, and you say that you have corrected them. But now the situation may have become confused as to which code you are exactly running on the two platforms. The people who answer on this list do it on their own time. They focus mainly on answering questions about the released Tomcat code, and about Tomcat configuration. They are less willing generally to invest a lot of time scrutinising and debugging your application code. For that, you should use some other help. 3) the fact that you say that the problem does not occur under Windows, and does occur under Linux, is not a proof that something is wrong with Tomcat/Linux. The Tomcat java code is the same in both cases. What differs is the Java JVM under which it runs, but even that is supposed to hide the differences to the Java applications (of which Tomcat is one). But there can be so many other differences in the architecture and in your setup between these two platforms, that a problem in your code can easily show up in one case, and not in the other. People here do not have your setup, so they cannot determine these differences and find out how they might or not contribute to the issue. 4) If you think nevertheless that it has something to do with an error in Tomcat itself, (which is still possible, nothing is ever perfect) then instead of posting a bunch of application code and asking people to debug it, you could invest some time in adding a lot of debugging log messages in your code, and try to spot yourself where the mixup occurs. Make sure to add some information that allows to determine if two or more simultaneous threads or sessions are stepping on eachother's data. If through that you can clearly see where the mixup occurs, and it does not appear to be the result of a logic error in your own code, then post here some clear information showing the problem. Then, start a new thread here, with a new subject. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Javascript / ECMAScript and any client side scripting are completely by-passable and offer no security. http://www.xs4all.nl/~sbpoley/webmatters/formval.html So field validation doesn't help you. Also anyone can post to your servlets. Are you using bindings for your SQL? I see security holes here but don't have time for a usecase. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println(Sorry, you are not a registered user! Please sign up first + searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println(Log In failed: An Exception has occurred! + ex); } //some exception handling finally{ if (rs != null) { try { rs.close(); } catch (Exception e) {} rs = null; } if (stmt != null) { try { stmt.close(); } catch (Exception e) {} stmt = null; } if (currentCon != null) { try { currentCon.close(); } catch (Exception e) { } currentCon = null; } } return bean; } } ysk -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:43 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: Maybe its just be but I still don't see where uadc is declared or even imported. ...or even used. I'm guessing that the bad code
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
On 21/08/2010 05:42, Yawar Khan wrote: chris, i had a look at container managed authentication and its quite handy. but i couldnt see how i can add extra functionality like calling an encryption function on password text field before tomcat does its authentication on it. The Tomcat Documentation is an excellent resource and is worth the time you'll spend reading it. See the 'digest' attribute of the DataSourceRealm. (You are using a DataSource, aren't you?) http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html#Standard_Implementation for js, my client side authentication is done on form submit button click event, if the hackers do disable javascripts, how will my html form be submitted? By pushing the button? By constructing a URL and posting to it using a non-browser script in an automated attack client? however, i will add some server side validation as well, i agree thats important. Don't bother, just use the container auth. That way you don't have to worry about SQL injection attacks, because the SQL isn't poorly cobbled together using String concatenation. p -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:41 AM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
) { try { currentCon.close(); } catch (Exception e) { } currentCon = null; } } return bean; } } ysk -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:43 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: Maybe its just be but I still don't see where uadc is declared or even imported. ...or even used. I'm guessing that the bad code exists outside of this login servlet. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm =DR0I -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
wesley, no i am not using sql bindings, what are the security holes? you havent told me why my sessions are getting mixed up here? From: Wesley Acheson wesley.ache...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 3:16:23 PM Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Javascript / ECMAScript and any client side scripting are completely by-passable and offer no security. http://www.xs4all.nl/~sbpoley/webmatters/formval.html So field validation doesn't help you. Also anyone can post to your servlets. Are you using bindings for your SQL? I see security holes here but don't have time for a usecase. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println(Sorry, you are not a registered user! Please sign up first + searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println(Log In failed: An Exception has occurred! + ex); } //some exception handling finally{ if (rs != null) { try { rs.close(); } catch (Exception e) {} rs = null; } if (stmt != null) { try { stmt.close(); } catch (Exception e) {} stmt = null; } if (currentCon != null) { try { currentCon.close(); } catch (Exception e) { } currentCon = null; } } return bean; } } ysk -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:43 AM To: Tomcat Users List Subject
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On 21/08/2010 13:04, Yawar Khan wrote: wesley, no i am not using sql bindings, what are the security holes? you havent told me why my sessions are getting mixed up here? Felix has. p From: Wesley Acheson wesley.ache...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 3:16:23 PM Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Javascript / ECMAScript and any client side scripting are completely by-passable and offer no security. http://www.xs4all.nl/~sbpoley/webmatters/formval.html So field validation doesn't help you. Also anyone can post to your servlets. Are you using bindings for your SQL? I see security holes here but don't have time for a usecase. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println(Sorry, you are not a registered user! Please sign up first + searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println(Log In failed: An Exception has occurred! + ex); } //some exception handling finally{ if (rs != null) { try { rs.close(); } catch (Exception e) {} rs = null; } if (stmt != null) { try { stmt.close(); } catch (Exception e) {} stmt = null; } if (currentCon != null) { try { currentCon.close(); } catch (Exception e) { } currentCon = null; } } return bean; } } ysk -Original
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
thanks felix, very nicely explained! but do you think that declaring connection and rs variables outside the login function is causing the sessions mixup issue? From: Felix Schumacher felix.schumac...@internetallee.de To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 4:13:52 PM Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; This seems to be really problematic. Having ResultSet and Connection shared by many users is a bad idea. Imagine what happens when two requests come in at the same time: Request A Request B login(beanA) | currentCon=new Connection() | login(beanB) | | | currentCon=new Connection() # BOOM you are overwriting the class wide variable currentCon. Same thing can happen to rs too. So better place currentCon and rs as method variables inside of login. public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); I find it very useful to use a logging framework for reporting errors. And adding information about the state in which the error occured might help finding the root cause more easily. } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; If your are using prepared Statements with parameters, you don't have to worry, if someone has forgotten to check those parameters for sql-injection. But you were told so already. Bye Felix try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println(Sorry, you are not a registered user! Please sign up first + searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println(Log In failed: An Exception has occurred! + ex); } //some exception handling finally{ if (rs != null) { try
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Khan khanya...@yahoo.com schrieb: thanks felix, very nicely explained! but do you think that declaring connection and rs variables outside the login function is causing the sessions mixup issue? Yes. But I think it is not messing with sessions, but rather messing with the values of your user beans. Hth Felix From: Felix Schumacher felix.schumac...@internetallee.de To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 4:13:52 PM Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; This seems to be really problematic. Having ResultSet and Connection shared by many users is a bad idea. Imagine what happens when two requests come in at the same time: Request A Request B login(beanA) | currentCon=new Connection() | login(beanB) | | | currentCon=new Connection() # BOOM you are overwriting the class wide variable currentCon. Same thing can happen to rs too. So better place currentCon and rs as method variables inside of login. public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); I find it very useful to use a logging framework for reporting errors. And adding information about the state in which the error occured might help finding the root cause more easily. } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; If your are using prepared Statements with parameters, you don't have to worry, if someone has forgotten to check those parameters for sql-injection. But you were told so already. Bye Felix try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println(Sorry, you are not a registered user! Please sign up first + searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println(Log In failed: An Exception has
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On 19/08/2010 23:42, Christopher Schultz wrote: Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: Maybe its just be but I still don't see where uadc is declared or even imported. ...or even used. I'm guessing that the bad code exists outside of this login servlet. s/the bad/more bad/g The OP has, unfortunately, not employed the usual letter-case based naming conventions, making the process of establishing the difference between a local variable and say, a static class, nigh on impossible. Having said that, my guess would be that 'udac' is the latter. @OP What happens if udac throws an exception? p -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
chris, i had a look at container managed authentication and its quite handy. but i couldnt see how i can add extra functionality like calling an encryption function on password text field before tomcat does its authentication on it. for js, my client side authentication is done on form submit button click event, if the hackers do disable javascripts, how will my html form be submitted? however, i will add some server side validation as well, i agree thats important. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:41 AM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtsuYACgkQ9CaO5/Lv0PBOsQCgnldndPM7po8wlgYUq6k/QDT3 1mAAoKo/47GXpG4dIEfRNpkZnX/SSveb =zrJ+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Hi, i have been trying to post emails on this list but getting mailerdeamon replies that only subscribers can post. i dont know what happened thereso i subscribed my other email address ok now for the topic at hand, Wesly, udac is a public class which exists in the same package and login is a static function. I think that much is pretty obvious. I had proper naming conventions but when i moved my source code to linux, my entire files names were changed to lower case, and the application could not find the classes and jsp files. i didnt know any other way(and didnt have any time for RnD) so i changed the names of classes and jsp files to lower. any ways, my original topic is sessions mix up, do you see any relevance of sessions in udac class? sessions are getting created in loginmanager. -Original Message- From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Friday, August 20, 2010 2:05 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Maybe its just be but I still don't see where uadc is declared or even imported. On Thu, Aug 19, 2010 at 10:26 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: yea I did attach a .java file, anyways I am posting the code here; package org.mcb.services; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * * @author yawar.saeed */ public class loginmanager extends HttpServlet { protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType(text/html;charset=iso-8859-1); PrintWriter out = response.getWriter(); try { userbean user = new userbean(); user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); //response.sendRedirect(main.jsp); //logged-in page response.sendRedirect(response.encodeRedirectURL(main.jsp)); }else{ // response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid())); //revert back to login page } } finally { out.close(); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } } From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 1:56 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Sorry can't see it. Are you sure you attached it? you could use something like pastebin if the mail list does accept attachments On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances)
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println(Sorry, you are not a registered user! Please sign up first + searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println(Log In failed: An Exception has occurred! + ex); } //some exception handling finally{ if (rs != null) { try { rs.close(); } catch (Exception e) {} rs = null; } if (stmt != null) { try { stmt.close(); } catch (Exception e) {} stmt = null; } if (currentCon != null) { try { currentCon.close(); } catch (Exception e) { } currentCon = null; } } return bean; } } ysk -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:43 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: Maybe its just be but I still don't see where uadc is declared or even imported. ...or even used. I'm guessing that the bad code exists outside of this login servlet. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm =DR0I -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h
Sessions mix-up on Tomcat 6.0.26 on Linux
Hi, I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. The menu options sometime show of previously logged users, sometimes currently logged user's. For example, session.getAttribute(role_id) sometime retrieves 3 and sometimes 1 depending on previous values. please help! Yawar S. Khan Senior Manager - Business Applications Information Technology Group (Karachi) yawar.sa...@mcb.com.pk mailto:yawar.sa...@mcb.com.pk SST: 021-5656723 Cell: 0334-3752196 Success is a Journey, not a Destination... This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions.
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Saeed Khan/ITG/Karachi wrote: Hi, I have developed a web application using jsp and servlets with oracle database. and with Tomcat also ? The application is working fine on windows, Windows version, JVM version, tomcat version ? but the problem arises when we deploy it on Linux(64bit), Linux version, JVM version, tomcat version ? we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. The menu options sometime show of previously logged users, sometimes currently logged user's. For example, session.getAttribute(role_id) sometime retrieves 3 and sometimes 1 depending on previous values. Have you watched the JSESSIONID cookie in the browser after the different steps ? The JSESSIONID cookie value contains (or should contain) the session-id for your current session. This value should not change during the whole user session. Does it ? What about differences in configuration between Windows and Linux ? Are you doing any kind of load-balancing in one case and not in the other ? Is there anything (proxy, firewall, load-balancer, http server, ..) between the browser and the tomcat server ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Thu, 2010-08-19 at 12:45 +0200, André Warnier wrote: Yawar Saeed Khan/ITG/Karachi wrote: Hi, I have developed a web application using jsp and servlets with oracle database. and with Tomcat also ? Look in the subject line. :) The application is working fine on windows, Windows version, JVM version, tomcat version ? but the problem arises when we deploy it on Linux(64bit), Linux version, JVM version, tomcat version ? Look in the subject line. :) we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. The menu options sometime show of previously logged users, sometimes currently logged user's. For example, session.getAttribute(role_id) sometime retrieves 3 and sometimes 1 depending on previous values. Have you watched the JSESSIONID cookie in the browser after the different steps ? The JSESSIONID cookie value contains (or should contain) the session-id for your current session. This value should not change during the whole user session. Does it ? What about differences in configuration between Windows and Linux ? Are you doing any kind of load-balancing in one case and not in the other ? Is there anything (proxy, firewall, load-balancer, http server, ..) between the browser and the tomcat server ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Ben Souther wrote: On Thu, 2010-08-19 at 12:45 +0200, André Warnier wrote: Yawar Saeed Khan/ITG/Karachi wrote: Hi, I have developed a web application using jsp and servlets with oracle database. and with Tomcat also ? Look in the subject line. :) Ok, I overlooked the subject line (*). Mea culpa. However, a raly long experience with problem reports tells me that when someone says : it is just the same, only the OS changes or I did not change anything, in the end it never turns out that way. So my questions remain, despite the subject line. Basically, by asking these questions (and asking them over and over again), the purpose is not to bother the OP. The purpose is to try to delimit the issue properly from the start, rather than having to spend 10 back-and-forth messages to do so. Clearly in this case, if all elements were identical except for the OS, this kind of issue would not happen. Ergo, there must be something else than the OS involved. I am just trying to find out what it is, and maybe in the process get the OP to figure it out too. (*) Maybe it was because it did not have a HELP!! or ASAP or tomcat does not work in it. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On 19/08/2010 14:02, Caldarale, Charles R wrote: Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. +1 Odds on the session or request is being stored in an instance field in a servlet somewhere. p - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Chuck, what you say makes sense but I check the behavior on windows. the problem is in Linux environment only. I would imagine that tomcat configuration might be different on both machines, but have no clue abt configuring tomcat. (maybe session cache issue?) I just installed tomcat 6.0.26 on both machines with default configurations. From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Thu 19-Aug-10 7:02 PM To: Tomcat Users List Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Ok, let me share my source code with you... my index.jsp page has a html form which submits the form data to a servlet called loginmanager. this is the code inside doPost function; try { userbean user = new userbean(); // usebean is a class the has setter and getter functions for user attributes user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); //udac is a class that has data access functions, login function takes user object and checks its existence in db and sets isValid attribute for that user if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); response.sendRedirect(main.jsp); //logged-in page }else{ response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page } } finally { out.close(); } Previously i had tried a simple way; my index.jsp file called itself on form submit, below code was in index.jsp (no servlet etc); //after form is submitted String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; query = query + AND LOWER(a.USER_ID) = LOWER('+ request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +'; boolean hasdata=false; java.sql.ResultSet rs = connection.executeQuery(query); while(rs.next()) { hasdata=true; session.setAttribute(user_id,rs.getString(USER_ID)); session.setAttribute(user_name,rs.getString(NAME)); session.setAttribute(branch_code,rs.getString(BRANCH_CODE)); session.setAttribute(role_id,rs.getString(ROLE_ID)); session.setAttribute(role_desc,rs.getString(ROLE_DESC)); session.setAttribute(last_login,rs.getString(LAST_LOGIN_DATE)); upsql = UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'; int up = connection.executeUpdate(UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'); int audit_insrt = InsertAuditEntry(F001, (String) session.getAttribute(user_id), (String) session.getAttribute(branch_code)); response.sendRedirect(main.jsp); //out.println(Logged in); } behaviour is same in both cases. thanks! From: Pid [mailto:p...@pidster.com] Sent: Thu 19-Aug-10 9:03 PM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux On 19/08/2010 14:02, Caldarale, Charles R wrote: Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. +1 Odds on the session or request is being stored in an instance field in a servlet somewhere. p - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
2010/8/19 Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk: Ok, let me share my source code with you... HttpSession session = request.getSession(true); response.sendRedirect(main.jsp); //logged-in page See documentation on HttpServletResponse.encodeRedirectURL( ) method. It must be used here. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Konstantin, it seems that I will have to use HttpServletResponse.encodeRedirectURL( ) in every hyperlink ? will that solve my sessions problem? From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Thu 19-Aug-10 10:00 PM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux 2010/8/19 Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk: Ok, let me share my source code with you... HttpSession session = request.getSession(true); response.sendRedirect(main.jsp); //logged-in page See documentation on HttpServletResponse.encodeRedirectURL( ) method. It must be used here. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, I'm marking this as off-topic for /your/ request. I just have some comments for you. Take them or leave them. On 8/19/2010 11:53 AM, Yawar Saeed Khan/ITG/Karachi wrote: Ok, let me share my source code with you... my index.jsp page has a html form which submits the form data to a servlet called loginmanager. this is the code inside doPost function; try { userbean user = new userbean(); // usebean is a class the has setter and getter functions for user attributes user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); //udac is a class that has data access functions, login function takes user object and checks its existence in db and sets isValid attribute for that user Not using Tomcat's container-managed login? Any particular reason why not? It's quite easy to configure and has the added benefit of being properly tested. if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); Why not session.setAttribute(user, user)? response.sendRedirect(main.jsp); //logged-in page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp)); }else{ response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp) + ?user= + java.net.URLEncoder.encode(user.isValid())); It always helps to format and encode things properly. } } finally { out.close(); } What is out? Previously i had tried a simple way; my index.jsp file called itself on form submit, below code was in index.jsp (no servlet etc); //after form is submitted String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; query = query + AND LOWER(a.USER_ID) = LOWER('+ request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +'; boolean hasdata=false; java.sql.ResultSet rs = connection.executeQuery(query); Wow: this is a SQL injection attack just waiting to happen. What happens if I submit the txt_userid request parameter as ') OR 1; or, even better, '); DELETE FROM LOGIN_INFORMATION; or some other evil thing? I believe that certain JDBC drivers will not execute more than one query per executeQuery() call, but you can't really count on that. It's easy to use a PreparedStatement and just do it properly: poof! SQL injection attacks are a thing of the past (unless the driver is broken, but they test those things very well). Also, most SQL databases perform case-insensitive string comparisons, so your LOWER(a.USER_ID) = LOWER(...) can probably be simplified. Note that it also means you likely have case-insensitive passwords (though you haven't shown us what epass is -- is could have been hashed. while(rs.next()) { hasdata=true; session.setAttribute(user_id,rs.getString(USER_ID)); session.setAttribute(user_name,rs.getString(NAME)); session.setAttribute(branch_code,rs.getString(BRANCH_CODE)); session.setAttribute(role_id,rs.getString(ROLE_ID)); session.setAttribute(role_desc,rs.getString(ROLE_DESC)); session.setAttribute(last_login,rs.getString(LAST_LOGIN_DATE)); upsql = UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'; int up = connection.executeUpdate(UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'); int audit_insrt = InsertAuditEntry(F001, (String) session.getAttribute(user_id), (String) session.getAttribute(branch_code)); response.sendRedirect(main.jsp); How many redirects do you end up sending? Hopefully, only one. But this code is bad, bad, bad. It makes me wonder what other nuggets can be found in your code. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtY30ACgkQ9CaO5/Lv0PA1pgCcDe1cNVlaqRNlWAbyQVybng4X OpUAn3ab9KDdsYvVGYzQmoeB871SgUqp =eEX2 -END PGP
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 11:28 AM, Yawar Saeed Khan/ITG/Karachi wrote: Chuck, what you say makes sense but I check the behavior on windows. the problem is in Linux environment only. I would imagine that tomcat configuration might be different on both machines, but have no clue abt configuring tomcat. (maybe session cache issue?) I just installed tomcat 6.0.26 on both machines with default configurations. You didn't mention if Windows was 32-bit or 64-bit. Are we talking about the same hardware? Equivalent hardware? What about number of cores? Sometimes, these things don't expose themselves unless true simultaneity is possible -- which requires more than one processor core. Isn't non-determinism fun? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtZGYACgkQ9CaO5/Lv0PA3WwCeM0hqKcQTuA1gta0976o0uvm8 pE8AniQ4sbF9+KDAToJiQD4jc0zHuglw =kqi+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
On 8/19/2010 11:28 AM, Yawar Saeed Khan/ITG/Karachi wrote: Chuck, what you say makes sense but I check the behavior on windows. All that says to me is that your testing environment on Windows is inadequate. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances)
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
thanks for your constructive comments, as I mentioned that bad, bad, bad code is out. no longer in the application... your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? plus I would like to mention that I have client side form validations (js) to stop query busters. From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thu 19-Aug-10 11:01 PM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, I'm marking this as off-topic for /your/ request. I just have some comments for you. Take them or leave them. On 8/19/2010 11:53 AM, Yawar Saeed Khan/ITG/Karachi wrote: Ok, let me share my source code with you... my index.jsp page has a html form which submits the form data to a servlet called loginmanager. this is the code inside doPost function; try { userbean user = new userbean(); // usebean is a class the has setter and getter functions for user attributes user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); //udac is a class that has data access functions, login function takes user object and checks its existence in db and sets isValid attribute for that user Not using Tomcat's container-managed login? Any particular reason why not? It's quite easy to configure and has the added benefit of being properly tested. if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); Why not session.setAttribute(user, user)? response.sendRedirect(main.jsp); //logged-in page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp)); }else{ response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp) + ?user= + java.net.URLEncoder.encode(user.isValid())); It always helps to format and encode things properly. } } finally { out.close(); } What is out? Previously i had tried a simple way; my index.jsp file called itself on form submit, below code was in index.jsp (no servlet etc); //after form is submitted String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; query = query + AND LOWER(a.USER_ID) = LOWER('+ request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +'; boolean hasdata=false; java.sql.ResultSet rs = connection.executeQuery(query); Wow: this is a SQL injection attack just waiting to happen. What happens if I submit the txt_userid request parameter as ') OR 1; or, even better, '); DELETE FROM LOGIN_INFORMATION; or some other evil thing? I believe that certain JDBC drivers will not execute more than one query per executeQuery() call, but you can't really count on that. It's easy to use a PreparedStatement and just do it properly: poof! SQL injection attacks are a thing of the past (unless the driver is broken, but they test those things very well). Also, most SQL databases perform case-insensitive string comparisons, so your LOWER(a.USER_ID) = LOWER(...) can probably be simplified. Note that it also means you likely have case-insensitive passwords (though you haven't shown us what epass is -- is could have been hashed. while(rs.next()) { hasdata=true; session.setAttribute(user_id,rs.getString(USER_ID)); session.setAttribute(user_name,rs.getString(NAME)); session.setAttribute(branch_code,rs.getString(BRANCH_CODE)); session.setAttribute(role_id,rs.getString(ROLE_ID)); session.setAttribute(role_desc,rs.getString(ROLE_DESC)); session.setAttribute(last_login,rs.getString(LAST_LOGIN_DATE)); upsql = UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'; int up = connection.executeUpdate(UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'); int audit_insrt = InsertAuditEntry(F001
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Sorry can't see it. Are you sure you attached it? you could use something like pastebin if the mail list does accept attachments On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
Client side validation is for convenience and user feedback. Server side validation is still required. Nothing requires a user to use a browser, or to not use extension like Fiddle or Tamper to play with the information once it's passed your validation scripts. . . . just my two cents. /mde/ - Original Message From: Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk To: Tomcat Users List users@tomcat.apache.org Sent: Thu, August 19, 2010 12:27:08 PM Subject: RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux thanks for your constructive comments, as I mentioned that bad, bad, bad code is out. no longer in the application... your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? plus I would like to mention that I have client side form validations (js) to stop query busters. From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thu 19-Aug-10 11:01 PM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, I'm marking this as off-topic for /your/ request. I just have some comments for you. Take them or leave them. On 8/19/2010 11:53 AM, Yawar Saeed Khan/ITG/Karachi wrote: Ok, let me share my source code with you... my index.jsp page has a html form which submits the form data to a servlet called loginmanager. this is the code inside doPost function; try { userbean user = new userbean(); // usebean is a class the has setter and getter functions for user attributes user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); //udac is a class that has data access functions, login function takes user object and checks its existence in db and sets isValid attribute for that user Not using Tomcat's container-managed login? Any particular reason why not? It's quite easy to configure and has the added benefit of being properly tested. if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); Why not session.setAttribute(user, user)? response.sendRedirect(main.jsp); //logged-in page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp)); }else{ response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp) + ?user= + java.net.URLEncoder.encode(user.isValid())); It always helps to format and encode things properly. } } finally { out.close(); } What is out? Previously i had tried a simple way; my index.jsp file called itself on form submit, below code was in index.jsp (no servlet etc); //after form is submitted String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; query = query + AND LOWER(a.USER_ID) = LOWER('+ request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +'; boolean hasdata=false; java.sql.ResultSet rs = connection.executeQuery(query); Wow: this is a SQL injection attack just waiting to happen. What happens if I submit the txt_userid request parameter as ') OR 1; or, even better, '); DELETE FROM LOGIN_INFORMATION; or some other evil thing? I believe that certain JDBC drivers will not execute more than one query per executeQuery() call, but you can't really count on that. It's easy to use a PreparedStatement and just do it properly: poof! SQL injection attacks are a thing of the past (unless the driver is broken, but they test those things very well). Also, most SQL databases perform case-insensitive string comparisons, so your LOWER(a.USER_ID) = LOWER(...) can probably be simplified. Note that it also means you likely have case-insensitive passwords (though you haven't shown us what epass is -- is could have been hashed. while(rs.next()) { hasdata=true; session.setAttribute(user_id,rs.getString(USER_ID)); session.setAttribute(user_name,rs.getString(NAME)); session.setAttribute(branch_code,rs.getString(BRANCH_CODE
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
yea I did attach a .java file, anyways I am posting the code here; package org.mcb.services; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * * @author yawar.saeed */ public class loginmanager extends HttpServlet { protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType(text/html;charset=iso-8859-1); PrintWriter out = response.getWriter(); try { userbean user = new userbean(); user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); //response.sendRedirect(main.jsp); //logged-in page response.sendRedirect(response.encodeRedirectURL(main.jsp)); }else{ // response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid())); //revert back to login page } } finally { out.close(); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } } From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 1:56 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Sorry can't see it. Are you sure you attached it? you could use something like pastebin if the mail list does accept attachments On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Maybe its just be but I still don't see where uadc is declared or even imported. On Thu, Aug 19, 2010 at 10:26 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: yea I did attach a .java file, anyways I am posting the code here; package org.mcb.services; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * * @author yawar.saeed */ public class loginmanager extends HttpServlet { protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType(text/html;charset=iso-8859-1); PrintWriter out = response.getWriter(); try { userbean user = new userbean(); user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); //response.sendRedirect(main.jsp); //logged-in page response.sendRedirect(response.encodeRedirectURL(main.jsp)); }else{ // response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid())); //revert back to login page } } finally { out.close(); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } } From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 1:56 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Sorry can't see it. Are you sure you attached it? you could use something like pastebin if the mail list does accept attachments On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtsuYACgkQ9CaO5/Lv0PBOsQCgnldndPM7po8wlgYUq6k/QDT3 1mAAoKo/47GXpG4dIEfRNpkZnX/SSveb =zrJ+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: Maybe its just be but I still don't see where uadc is declared or even imported. ...or even used. I'm guessing that the bad code exists outside of this login servlet. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm =DR0I -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org