Embedding encrypted info about things like the domain, ip address, and
user credentials in the cookie as well as a timeout for the cookie can
make it very difficult to spoof though.
Ollie
On Thu, 2004-02-19 at 23:46, Nicholas Lesiecki wrote:
I second Andy.
BTW, It is possible to spoof
Not to diverge too far from the topic, but...
Even with encryption you have to careful, as the WEP (Wired Equivalent
Privacy, part of the 802.11 spec) folks found out the hard way. I don't
recall what the relevant data were, but some part of WEP involved
sending some bytes and a crc-32
I think you are right, otherwise the J2EE spec would be insecure by definition.
A *request* attribute can be changed just by appending it as a URL parameter,
but that is really just another name for a form field. Maybe that is what they
are thinking of.
Robert Zeigler wrote:
However, someone
That's what I was thinking... but I wanted to bounce it off someone to
make sure I wasn't going crazy. ;)
Thanks for the validation. =)
Robert
Chad Woolley wrote:
I think you are right, otherwise the J2EE spec would be insecure by
definition. A *request* attribute can be changed just by
Hi Robert,
Your understanding is the same as mine. But, the security question you pose
is interesting. I wonder if it would be possible to change your session ID
and access someone else's session. Depending on the application, this could
be a security risk.
I'll have to look into that...
Andy
I second Andy.
BTW, It is possible to spoof someone else's session id cookie, posing a
security risk. An application with serious security concerns (banking,
ecommerce) would need to pay attention to this vulnerability.
Nick
On Feb 19, 2004, at 10:41 PM, Andrew Barton wrote:
Hi Robert,
Your