I would like to set my login JSP to have this directive (<%@ page session="false" %>) and others ones to be in WEB-INF (not visible to users)
I use an application specific authentification. I would like any user (friend or hacker) to get access to the (internationalized) login page, be able commit login form to "/login.do", and use struts-validator to validate required inputs. For all this no session should be created. When user is authentified, access to other URIs of the applicaton are granted by a custom processRole. Nico. > How are you performing authentication? Depending on the process you're using, it > may be possible to avoid hitting any of those conditions until after it's > successful. > > P.S. > By default, a JSP will create a session if one doesn't already exist (nothing to > do with Struts), so any pages that can be hit by unauthenticated users should do: > > <%@ page session="false" %> > > Quoting Nicolas De Loof <[EMAIL PROTECTED]>: > > > I've made a grep on Struts 1.1 sources. I noticed some case where a session > > is created that seems to me 'uncontroled' : > > > > > > RequestProcessor uses request.getSession() : > > - in processLocale if controller is configured to use Locale (default = > > true) > > > > HTMLTag uses request.getSession() : > > - in currentLocale() : if any JSP uses <html:html> a session is created ! > > > > o.a.s.validator.Ressouces uses request.getSession() : > > - in getLocale(request) : If validator is used (for example to validate login > > page) a session will allways be created > > > > > > Isn't they're any way NOT to create a session for a user that hasn't been > > authentified ? > > > > Nico. > > > > > > > > > > > > > > > > This is exactly what I'm looking for. > > > > > > For some of the applications I'm working on, my customers are paranoiac > > about security. I think that if a > > unauthentified > > > user is able to create a session on the server, it can expose the server to > > DOS attack, because every created session > > > will use some memory. > > > > > > It is realy simple to write a client that sends hundred of request to the > > server. If a session is created on each > > > request, server will quickly be out of memory (Session object + stored > > objects (Locale) size). > > > > > > If a session is created only for authentified users, server will survive > > such (simple) attack. > > > > > > Perhaps I'm wrong about this, if this scenario is stupid please tell me. > > > > > > For example, I've seen that RequestUtils.retrieveUserLocale() uses request > > scope if no session exists. This way, no > > > session is created when displaying a login JSP that uses i18n. > > > > > > With locale="true" (default) a new session is created when ActionServlet > > process a request. We need to set it to false > > > to control session creation. I want to know if they're is other Struts > > properties to set to avoid creating new session > > > for non-authentified user. > > > > > > > > > Nico. > > > > > > > > > > > > > Hi Manfred > > > > > > > > I think Nicolas is trying to find all places where Struts manipulates > > the > > > > session in some way.. > > > > > > > > Locale=True does indeed manipulate the session..thus resulting in the > > > > session being created, if not already there. > > > > > > > > When no one (action, object, tag, whatever) has requested attributes to > > be > > > > stored in the session, no session object will exist..Session info > > (cookie, > > > > URL rewriting, etc) is only created if there are attributes on the > > Session > > > > object. Am I correct on this one?? > > > > > > > > I don't understand WHY Nicolas does not want the session to be > > created...Is > > > > it because of memory usage...denial of service attacks...? > > > > > > > > Maybe, I don't understand, Nicolas, too...but it did gave my few > > pennies > > > > away :-) > > > > > > > > Regards > > > > > > > > Henrik > > > > > > > > ----- Original Message ----- > > > > From: "Manfred Wolff" <[EMAIL PROTECTED]> > > > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > > Sent: Thursday, January 08, 2004 3:22 PM > > > > Subject: Re: Configuring Struts NOT to create (unauthentified) sessions > > > > > > > > > > > > > Nicolas. > > > > > > > > > > I perhaps don't understand you. but (!) The locale attribut has > > nothing > > > > > to do with creating sessions! The locale attribute tells struts to > > save > > > > > a Locale-Object in the session, if there is nothing stored. > > > > > > > > > > Manfred > > > > > > > > > > Nicolas De Loof wrote: > > > > > > > > > > >Hy all, > > > > > > > > > > > >I would like Struts NOT to create a session for an unauthentified > > user. > > > > As far as I understand Struts code, I need to > > > > > >set locale="false" in struts-config.xml <controller>. > > > > > > > > > > > >Is they're any ohter Struts mecanism that can create a session > > (excluding > > > > action-mapping declared as scope="session") ? > > > > > > > > > > > >Doesn't the "locale" default value (true) expose lot's of struts > > > > application to attack ? (server Out of Memory because > > > > > >to much sessions have been created - isn't this what is called "Deny > > Of > > > > Service" ?) > > > > > > > > > > > >Nico. > > > > > > > > > > > > > > > > > > > >--------------------------------------------------------------------- > > > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > =========================================== > > > > > Dipl.-Inf. Manfred Wolff > > > > > ------------------------------------------- > > > > > phone neusta : +49 421 20696-27 > > > > > phone : +49 421 534522 > > > > > mobil : +49 178 49 18 434 > > > > > eFax : +49 1212 6 626 63 965 33 > > > > > ------------------------------------------- > > -- > Kris Schneider <mailto:[EMAIL PROTECTED]> > D.O.Tech <http://www.dotech.com/> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
