aspose file tools*
The moose likes JSP and the fly likes session vulnerable pages Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "session vulnerable pages" Watch "session vulnerable pages" New topic
Author

session vulnerable pages

Jason Kwok
Ranch Hand

Joined: Mar 31, 2005
Posts: 126
Hi,
I have a webapp where a user can login and edit their profile, password, and view sales/financial history. I use the MVC pattern so the user views this information on jsp pages which are fed info from a servlet controller which interacts with a model.
My question is, after I've logged in and viewed those jsp pages with the sensitive info on them and log out, I can still view that information is I type in the URL for any of those pages. How can I prevent this?
When log out is performed I use session.invalidate(). I have the customer's info saved in the session using a userbean and salesbean. Would these beans not be removed when I use session.invalidate()?

I was thinking for those sensitive pages which are in jsp... should I check to see if there is an existing session, and if not, redirect off those pages? Would that be the best way?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

should I check to see if there is an existing session, and if not, redirect off those pages?


Absolutely. If you're not checking, there's nothing to prevent access.

This is a great use for a servlet filter, by the way.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

You may also want to prohibit direct access to your JSPs - either by filtering for *.jsp or by putting the JSPs under the WEB-INF directory.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Jason Kwok
Ranch Hand

Joined: Mar 31, 2005
Posts: 126
Originally posted by Ben Souther:
You may also want to prohibit direct access to your JSPs - either by filtering for *.jsp or by putting the JSPs under the WEB-INF directory.


Ok I'm comfortable checking for a session and redirecting. However I'm not familiar with the 'filter' method your talking about. Is there somewhere I can check that out?

Secondly, how would I filter for *.jsp? Would that be through some sort of mapping in my web.xml file? Or if I did put them under my WEB-INF directory, how would I reference them??

ex: http://localhost:8080/myStore/WEB-INF/myFile.jsp??
Jason Kwok
Ranch Hand

Joined: Mar 31, 2005
Posts: 126
Originally posted by Bear Bibeault:


Absolutely. If you're not checking, there's nothing to prevent access.

This is a great use for a servlet filter, by the way.


What is a servlet filter? And how would I use it? I've never head of such a thing... which shows just how new I am to java!!

Thanks again Ben and Bear,
J
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

First Filters:
http://www.google.com/search?hl=en&q=Servlet+Filter+Tutorial&btnG=Google+Search
The nice thing about them is that you can map them to URL patterns from web.xml without changing code or re-compiling.

Hiding JSPs under WEB-INF:
If you're using MVC you can forward to your JSPs just like you do now but in the WEB-INF directory. Browsers can't access WEB-INF directly but your servlets can.

[ April 13, 2005: Message edited by: Ben Souther ]
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
Originally posted by Jason Kwok:
What is a servlet filter? And how would I use it? I've never head of such a thing... which shows just how new I am to java!!


A filter is nothing but a complement over servlet. You can get a free book from theserverside.com. Not very good book for beginners but as you are not a beginner, you will find the book worthy.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: session vulnerable pages
 
Similar Threads
Maintaining user state in a web application
ending the session of a form?
session.invalidate doubt
Tomcat Inactive Session Management
Browsing with the back button