Vincent, 1. If you put some object into session-scope, it will be stored on the server (in the memory occupied by the java-process executing your webapp). Some persistence mechanisms may save it to disk or into a database. But you would know if that is the case for you. However, the sessionid is passed back and forth between the server and the client, of course. But that should not be a problem, because of the (pseudo) random and quite complex nature of sessionids it would be hard to guess someone else's sessionid.
2. I do not know of such a possibilitie, and it would certainly be a serious bug. However, anyone having root/administrator-access to your machine could probably tamper with the memory and thereby manipulating you session-state. But that would be the least of your problems, then. 3. If that would be the case, you would have to trust what the client sends you. This is generally a very bad idea for security reasons (anyone can fake what he sends to you if he knows what he's doing). But luckily this is not the case. Greetings Andreas Mohrig -----Original Message----- From: Vincent Chen [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: session security questions? Hi, all I am running tomcat as application server and using session to store objects which will determine what dynamic content will be displayed. It's typical, but I have the following question: 1. Where is the session variable stored? server side or client cookie? 2. If variables stored in server side, is it possible to fake it and is there a proof of concept exists? 3. If variable stored in client cookie, I have the same question for point 2. Thanks, Vincent ----------------------------------------------------------------- 每天都 Yahoo!奇摩 海的顏色、風的氣息、愛你的溫度,盡在信紙底圖 http://tw.promo.yahoo.com/mail_premium/stationery.html --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
