Surely if servlet1 and servlet2 are on different sites, the session scope
will be different, and hence data from session1 will not be visible to
session2?
-----Original Message-----
From: A mailing list for discussion about Sun Microsystem's Java Servlet
API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of
Bartsch Axel
Sent: 08 February 2001 19:33
To: [EMAIL PROTECTED]
Subject: session security
Hi,
Has anybody ever thought of this?
You have 2 servlets running at the same servlet engine.
A user performs login at a site1 controlled by servlet1 (e.g. servlet of
Amazon): a session is created and stored in the users cookie.
Then the user goes to the site2 controlled by servlet2 (e.g. servlet of
bookstore2=hostile to Amazon). This servlet checks for sessions
(with the sessionId received from the cookie storage). And if it finds a
session it assumes the user is already logged in and allows him
access (!).
While "friendly" servlets may want to share a session (to treat a client
request by more than one servlet: e.g. by forwarding the request from one
servlet to the other), this is a disaster for "hostile" servlets.
Is this really true what I am saying? What can be done?
Axel, Lannion/France
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
