Re: session security

Bartsch Axel Fri, 09 Feb 2001 00:38:58 -0800
What do you mean with different sites? If you mean different servlet engines, I agree.
If not its not true what you are saying.

Axel

> -----Original Message-----
> From: Phil Murphy [SMTP:[EMAIL PROTECTED]]
> Sent: jeudi 8 f> évrier 2001 23:19
> To:   [EMAIL PROTECTED]
> Subject:      Re: session security
>
> Surely if servlet1 and servlet2 are on different sites, the session scope
> will be different, and hence data from session1 will not be visible to
> session2?
>
> -----Original Message-----
> From: A mailing list for discussion about Sun Microsystem's Java Servlet
> API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of
> Bartsch Axel
> Sent: 08 February 2001 19:33
> To: [EMAIL PROTECTED]
> Subject: session security
>
>
> Hi,
>
> Has anybody ever thought of this?
>
> You have 2 servlets running at the same servlet engine.
>
> A user performs login at a site1 controlled by servlet1 (e.g. servlet of
> Amazon): a session is created and stored in the users cookie.
>
> Then the user goes to the site2 controlled by servlet2 (e.g. servlet of
> bookstore2=hostile to Amazon). This servlet checks for sessions
> (with the sessionId received from the cookie storage). And if it finds a
> session it assumes the user is already logged in and allows him
> access (!).
>
> While "friendly" servlets may want to share a session (to treat a client
> request by more than one servlet: e.g. by forwarding the request from one
> servlet to the other), this is a disaster for "hostile" servlets.
> Is this really true what I am saying? What can be done?
>
>
> Axel, Lannion/France
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
Re: session security

Reply via email to
