It would seem rather odd that two competitor's ('amazon' & 'hostile_to_amazon') would
be running in the same servlet engine??
Presumably you have control over what servlets you run on your box, or within your
servlet engine. In answer to your question, what can be done? Don't run any hostile
servlets on your box. Have I missed the point??
Mick
>>> Bartsch Axel <[EMAIL PROTECTED]> 02/09/01 06:32AM >>>
Hi,
Has anybody ever thought of this?
You have 2 servlets running at the same servlet engine.
A user performs login at a site1 controlled by servlet1 (e.g. servlet of Amazon): a
session is created and stored in the users cookie.
Then the user goes to the site2 controlled by servlet2 (e.g. servlet of
bookstore2=hostile to Amazon). This servlet checks for sessions
(with the sessionId received from the cookie storage). And if it finds a session it
assumes the user is already logged in and allows him
access (!).
While "friendly" servlets may want to share a session (to treat a client request by
more than one servlet: e.g. by forwarding the request from one servlet to the other),
this is a disaster for "hostile" servlets.
Is this really true what I am saying? What can be done?
Axel, Lannion/France
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
*******************************************************************
The information contained in this email and any files attached may
be confidential information to the intended recipient and may be
the subject of legal privilege or public interest immunity.
If you are not the intended recipient, any use, disclosure or
copying is unauthorised.
If you have received this document in error please telephone
+61 2 6243 5666.
*******************************************************************
This footnote also confirms that this email message has been swept
by MIMEsweeper for the presence of computer viruses.
*******************************************************************
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
