Craig R. McClanahan wrote:
>Geoff Soutter wrote:
>> Craig R. McClanahan wrote:
>> >This would be just as fertile a ground for viruses as the Microsoft
Office
>> >macros that allowed Melissa and all of its clones. Removing the ability
to
>> list
>> >all the active sessions protects you from this, even in third party
code.
>>
>> Craig, would you consider it safe if the API returned only sessions
created
>> by this webapp, and if the session object returned in this case only
allowed
>> access to attributes of the session created by this webapp?
>
>No, I would not consider it safe even if the list of sessions were
restricted
>to this web app. People will still use third party servlets, JSP pages,
and
>other components in their apps, so they would still be at risk.
This doesn't make sense to me. If one can use third party components safely
in a normal app, can't you use them in a servlet too? I thought that one
must always assume that one's third party components were "secure",
regardless of wether they were deployed in a java servlet or as an OCX in a
VB program.
Geoff
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
