Yeah, but why is this a security issue ? Servlets are server side so aren't
you in control over all the code ? And suppose you do decide to use a
third party servlet. Wouldn't you get that servlet from a reputable company
?
Or maybe get source along with the servlet ?
I mean this is not like applets where any code could run in your browser. In
servlets, you carefully control the code that runs in your environment.
I don't have experience with HttpSessionContext, so if this is a naive
question,
my apologies...
Best regards,
--Hursh
=============================================================
My opinion only, not official KPMG policy etc. Please disregard
autogenerated notice
below..
=============================================================
> -----Original Message-----
> From: Craig R. McClanahan [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, September 29, 1999 8:00 PM
> To: [EMAIL PROTECTED]
> Subject: Re: get a list of active sessions?
>
> Pinghua Young wrote:
>
> > Is there any way to get a list of all active sessions?
> >
>
> In the servlet API versions up through 2.0, this was possible using
> HttpSessionContext. However, this entire class was deprecated, and the
> functionality removed, as of version 2.1 of the API due to security
> concerns.
> For example, any servlet in your context could go snooping through all the
> user objects you've stored in all your sessions (which might contain
> sensitive
> information), or maliciously remove such objects or invalidate the
> sessions on
> you.
>
> Craig McClanahan
>
> __________________________________________________________________________
> _
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
