Geoff Soutter wrote:
> Craig R. McClanahan wrote:
> >This would be just as fertile a ground for viruses as the Microsoft Office
> >macros that allowed Melissa and all of its clones. Removing the ability to
> list
> >all the active sessions protects you from this, even in third party code.
>
> Craig, would you consider it safe if the API returned only sessions created
> by this webapp, and if the session object returned in this case only allowed
> access to attributes of the session created by this webapp?
>
> Geoff
>
(I thought I replied to this last night, but just in case ...).
No, I would not consider it safe even if the list of sessions were restricted
to this web app. People will still use third party servlets, JSP pages, and
other components in their apps, so they would still be at risk.
Craig
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
