Thank for you reply DW :) , what make me concern about this situation is, owner of this project doesn't want someone could "bypass" security by open new window from within the original window , so he "pushed" me to make it happen
----- Original Message ----- From: "Mr Maillist" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <user@struts.apache.org> Sent: Thursday, February 17, 2005 11:34 AM Subject: Re: problem with securityfilter > Hari, > > I'm not sure exactly what the concern is? The nature of sessions > requires that one of two options be used. 1) I can re-write all URLs > to contain a special session key. This key in the URL is then used by > the servlet container to locate and unserialize the session object > corresponding to that key. If the client browser has cookies enabled > then another option is available 2) the key is placed in a cookie that > exists until the browser is closed, at which point it is deleted. On > each request the servlet container uses the key stored in the cookie > to locate and unserialize the session object. > > With this in mind, the only time that someone could "bypass" security > filter is if they have logged in, NEVER closed the browser, and open a > new window from within the original window. Once the browser has been > closed the session key is destroyed. The biggest risk is if your > users are at a public terminal and just walk away without closing the > browser. If you provide the user with a logout option then you can > destroy the session regardless of whether the browser has been closed > or not. > > I'm not sure if this applies to SecurityFilter in general, since I > have never used it and as I understand it, SecurityFilter simply wraps > the container's security management. Good Luck... > > DW > > > On Thu, 17 Feb 2005 10:53:49 +0700, Hari Saptoadi > <[EMAIL PROTECTED]> wrote: > > Hi all, > > first i'd like to say sorry if someone already asked this question before, i'm develop web app with struts and tomcat as web server + securityfilter(securityfilter.sourceforge.net) , my problem is if someone already login , and that user open new window browser securityfilter can't blocked this request (i mean user does not have to face login page again ) as far as i know this problem occure because user have same session , and my question is how can i fix it ? (i want every user have to face login page before using app ) > > > > thank you for you answer .... > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
