Subject:
|
Servlet security?!?
|
Newsgroups:
|
lugnet.off-topic.geek
|
Date:
|
Sun, 12 Mar 2000 19:01:54 GMT
|
Viewed:
|
355 times
|
| |
|
|
Does anyone have any experience with the Java Servlet API, eps. with the
HttpSession.putValue() function?
It seems that *any* Java object may be bound to an HTTP session by placing it
in the key/value set of the HttpSession object. However, the HttpSession
serializes itself into a cookie or via URL rewriting. IOW, the object you
placed via putValue() is stored on the browser end for later use. What's to
prevent a malicious object from being substituted in its place when the
browser sends back the cookie or URL request?
Not to mention, object size might be an important factor over a slow link...
I'm pretty bummed that they'd choose to depreciate
HttpSession.getSessionContext() for rather dubious security reasons, yet
objects can be stored and fetched from a cookie. :-P
Cheers,
- jsproat
|
|
1 Message in This Thread:
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
