No, I mean that I am a user and log in as usual. I can see that my orders have id's such as 5, 10 and 42. Now I trick a little bit and send another id, say 41 (which is an order of another user), and without a check the action would show me this order. What's the best way to avoid this situation?
Zitat von Leon Rosenberg <[EMAIL PROTECTED]>: > Just to clarify things, do you mean another user sending your > sessionId stored in your cookie to the shop? > > leon > > On 1/4/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi, > > > > The question I have is not purely specific to Struts, but I expect that > it's a > > common problem for Struts users. Suppose you have a web application which > is a > > shop. You have several users, each of which can have orders, accounting > > details, etc. Now a user logs in and you store the the user object in the > > session. Further, you put a list of orders into a request and forward to a > JSP > > that enables to select an order. When the user selects an order, the id is > > submitted to the action, the corresponding order is put into the request > and > > you forward to the OrderDetails page. > > Up to now, everything is pretty standard. However, what happens if a user > logs > > in, but then submits an arbitrary id - this would enable him to see orders > from > > other users! How can such security lacks be avoided best? > > > > Cheers, > > > > Thorsten > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
