I mean that if you accept identifiers of external resources as parameters (e.g. database primary keys), it is your responsibility to verify that the authenticated user is authorized to access/modify that external resource. Frameworks protect session data, but not such external resources.
On Wed, Mar 7, 2012 at 2:33 PM, Paolo <[email protected]> wrote: > Alle lunedì 05 marzo 2012, Dan Retzlaff ha scritto: > > Paolo, sessions are accessed with a JSESSIONID cookie or query parameter > > supplied with each request. It's not possible for one user to guess > another > > user's session ID, so the approach Martin describes is inherently secure. > Ok, thank you and Martin. > > > (Just be careful with your authentication code and form/query parameter > > validation elsewhere in your app!) > What do you want mean? > > I used this code as base: > http://wicketstuff.org/wicket14/authentication/ > And I added registration and user/password sign-in and checking with > database, instead of simple "wicket" as user and password. > I also used hash SHA (custom mode) to store password in the database. > > I am newbie, and I am afraid by Internet Security. > I collect users data and I don't want that some hacker subtrack from my > web app sensible data. > > > > > Dan > > > > On Sat, Mar 3, 2012 at 4:40 AM, Paolo <[email protected]> wrote: > > > > > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: > > > > Hi, > > > > > > > > Save the logged in user id in the Session. > > > > > > > > MySession.java: > > > > > > > > private long userId; > > > > > > > > public User getUser() { > > > > return userService.getUserById(userId); > > > > } > > > > > > > > > > > > AnyPage.java: > > > > user = MySession.get().getUser(); > > > > > > > Thank you, for support and explanation code, very useful because I am a > > > newbie. > > > Just one another answer: Is it secure? > > > Can someone alter session data and change user data, so an hacher could > > > log with own account but operate with other accounts? > > > Do I need some random code like this > "hdfds6yh6yhgtruifh4hf4frh9ruehfe" to > > > store temporanealy in session and database and associate it to a > specific > > > user? > > > > > > > > I added registration and user/password sign-in and checking with > > > database, instead of simple "wicket" as user and password. > > > > > All works ok, but now I need in AdminPage to known which user is > > > logged in. > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > > >
