| Author |
session vulnerable pages
|
Jason Kwok
Ranch Hand
Joined: Mar 31, 2005
Posts: 126
|
|
Hi,
I have a webapp where a user can login and edit their profile, password, and view sales/financial history. I use the MVC pattern so the user views this information on jsp pages which are fed info from a servlet controller which interacts with a model.
My question is, after I've logged in and viewed those jsp pages with the sensitive info on them and log out, I can still view that information is I type in the URL for any of those pages. How can I prevent this?
When log out is performed I use session.invalidate(). I have the customer's info saved in the session using a userbean and salesbean. Would these beans not be removed when I use session.invalidate()?
I was thinking for those sensitive pages which are in jsp... should I check to see if there is an existing session, and if not, redirect off those pages? Would that be the best way?
|
 |
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56157
|
|
should I check to see if there is an existing session, and if not, redirect off those pages?
Absolutely. If you're not checking, there's nothing to prevent access.
This is a great use for a servlet filter, by the way.
|
[Smart Questions] [JSP FAQ] [Books by Bear] [Bear's FrontMan] [About Bear]
|
|
Ben Souther
Sheriff
Joined: Dec 11, 2004
Posts: 13410
|
|
|
You may also want to prohibit direct access to your JSPs - either by filtering for *.jsp or by putting the JSPs under the WEB-INF directory.
|
Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
|
|
Jason Kwok
Ranch Hand
Joined: Mar 31, 2005
Posts: 126
|
|
Originally posted by Ben Souther:
You may also want to prohibit direct access to your JSPs - either by filtering for *.jsp or by putting the JSPs under the WEB-INF directory.
Ok I'm comfortable checking for a session and redirecting. However I'm not familiar with the 'filter' method your talking about. Is there somewhere I can check that out?
Secondly, how would I filter for *.jsp? Would that be through some sort of mapping in my web.xml file? Or if I did put them under my WEB-INF directory, how would I reference them??
ex: http://localhost:8080/myStore/WEB-INF/myFile.jsp??
|
|
Jason Kwok
Ranch Hand
Joined: Mar 31, 2005
Posts: 126
|
|
Originally posted by Bear Bibeault:
Absolutely. If you're not checking, there's nothing to prevent access.
This is a great use for a servlet filter, by the way.
What is a servlet filter? And how would I use it? I've never head of such a thing... which shows just how new I am to java!!
Thanks again Ben and Bear,
J
|
|
Ben Souther
Sheriff
Joined: Dec 11, 2004
Posts: 13410
|
|
First Filters:
http://www.google.com/search?hl=en&q=Servlet+Filter+Tutorial&btnG=Google+Search
The nice thing about them is that you can map them to URL patterns from web.xml without changing code or re-compiling.
Hiding JSPs under WEB-INF:
If you're using MVC you can forward to your JSPs just like you do now but in the WEB-INF directory. Browsers can't access WEB-INF directly but your servlets can.
[ April 13, 2005: Message edited by: Ben Souther ]
|
|
Adeel Ansari
Ranch Hand
Joined: Aug 15, 2004
Posts: 2874
|
|
Originally posted by Jason Kwok:
What is a servlet filter? And how would I use it? I've never head of such a thing... which shows just how new I am to java!!
A filter is nothing but a complement over servlet. You can get a free book from theserverside.com. Not very good book for beginners but as you are not a beginner, you will find the book worthy.
|
|
 |
I agree. Here's the link: jrebel
|
|
subject: session vulnerable pages
|
|
|
0
