Alle lunedì 05 marzo 2012, Dan Retzlaff ha scritto: > Paolo, sessions are accessed with a JSESSIONID cookie or query parameter > supplied with each request. It's not possible for one user to guess another > user's session ID, so the approach Martin describes is inherently secure. Ok, thank you and Martin.
> (Just be careful with your authentication code and form/query parameter > validation elsewhere in your app!) What do you want mean? I used this code as base: http://wicketstuff.org/wicket14/authentication/ And I added registration and user/password sign-in and checking with database, instead of simple "wicket" as user and password. I also used hash SHA (custom mode) to store password in the database. I am newbie, and I am afraid by Internet Security. I collect users data and I don't want that some hacker subtrack from my web app sensible data. > Dan > > On Sat, Mar 3, 2012 at 4:40 AM, Paolo <[email protected]> wrote: > > > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: > > > Hi, > > > > > > Save the logged in user id in the Session. > > > > > > MySession.java: > > > > > > private long userId; > > > > > > public User getUser() { > > > return userService.getUserById(userId); > > > } > > > > > > > > > AnyPage.java: > > > user = MySession.get().getUser(); > > > > > Thank you, for support and explanation code, very useful because I am a > > newbie. > > Just one another answer: Is it secure? > > Can someone alter session data and change user data, so an hacher could > > log with own account but operate with other accounts? > > Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe" to > > store temporanealy in session and database and associate it to a specific > > user? > > > > > > I added registration and user/password sign-in and checking with > > database, instead of simple "wicket" as user and password. > > > > All works ok, but now I need in AdminPage to known which user is > > logged in. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
