Hi,
Has anybody ever thought of this?
You have 2 servlets running at the same servlet engine.
A user performs login at a site1 controlled by servlet1 (e.g. servlet of Amazon): a
session is created and stored in the users cookie.
Then the user goes to the site2 controlled by servlet2 (e.g. servlet of
bookstore2=hostile to Amazon). This servlet checks for sessions
(with the sessionId received from the cookie storage). And if it finds a session it
assumes the user is already logged in and allows him
access (!).
While "friendly" servlets may want to share a session (to treat a client request by
more than one servlet: e.g. by forwarding the request from one servlet to the other),
this is a disaster for "hostile" servlets.
Is this really true what I am saying? What can be done?
Axel, Lannion/France
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
