Dervis Cokbilir wrote:
>
> >> Also, when I can't use a cookie and encode the URL for transferring
> >> User ID between requests, the URL becomes something like
> >> http://www.xxx.com/JSERVUID=some_junk_data. Is this secure ?
>
> >Secure in what way?
>
> >In the above URL, what is being exposed is an identifier specific to a
> >session. But this does not expose any application/user data.
>
> I mean, is it secure for users to see the sesson ID's ? Cause, if you
> know the session ID of your session, you might be able to get the
> session ID of someone else, you can see all the data that belongs to
> that user if Java doesn't encode this session id with EncodeURL
> function very well. It looks like a backdoor for hackers.
>
When using cookies, the session ID is just as easy to grab, because it is sent
in every request. Being "invisible" doesn't make it any more secure.
In either case, all you can do with a session ID is to impersonate an existing
user (by sending requests to your existing servlets with the stolen session
ID), and this only works for the duration of the existing session (servlet
engines will generally use an algorithm that does not create duplicate session
IDs). Some fairly simple "traps" in your servlets, such as making sure all
the requests for the same session come from the same client IP address, can
cut down lots of potential problems. But, the more secure protection would be
encryption -- then, snooping the session ID in the first place becomes much
more difficult.
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
