Hi All,
Following is my question:
A user logs into your application. Your application checks for the authentication from database.
User is a valid user. Now, Application sets the userId into session for session tracking.
session.setAttribute("userId",userId);
When the user does some database transaction, the application fetches the userId from session and inserts user values in database against that userId. For example:
String userId =(String) session.getAttribute(userId) ;
Dummy Database Table:
UserIdItemsPurchasedItemCode ItemDescription
If the authenticated user is a hacker, is it possible for him to change the userId in session while doing the transaction so that the transaction appears in somebody else name.
If this is possible, then how difficult it is and what are the security measures???
Thanks in Advance.