• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session vs DB stored values

 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have feature that enable users to change their password. Their password is stored in a session-scoped variable upon login and I use this to compare their new password to the older one. Is this a good idea? Or should I be getting the old password, the one that is stored in the database? Thanks!
 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here's my thought - Consider the following case:

1) UserA logs in with password ABC from a browser. You store the password in the Session
2) UserA(the same user) logs in from one more browser.
3) UserA changes password to XYZ from browser1. You compare the old password from the Session and then save the new password in the database.
4) UserA tries to change password *from browser2*. You check the old password in the Session(which is still maintained as ABC even though the password has changed to XYZ) - This is NOT what you would want to happen.

So its better, you retrieve the old password from database for doing a check when the password is being changed
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you very much. I too, thought saving retrieving from DB would be a better solution. Thanks!
 
Rusty Smythe
Ranch Hand
Posts: 93
Mac Objective C Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension. It is better to store a user-id (record number).

When the user wants to change his/her password, I suggest you ask them for current password along with new password. If current doesn't == password in database, then fail.

Also, consider encrypting all database passwords with a one-way hash to prevent someone from reading your DB directly and getting the passwords that way.
 
Richard Green
Ranch Hand
Posts: 536
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension.

Can you please tell me how? As far as i know, this extension allows you to see the cookies only (not the session attributes)
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yeah, please tell us how please... Thank you.
 
Gregg Bolinger
GenRocket Founder
Ranch Hand
Posts: 15302
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'd prefer , if it is possible, for that information not to be told. Sure, you can probably go google that information pretty easily, but I'd prefer it if JavaRanch would stay away from providing hacking information.

Thanks.
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hmmmm... Yes, I couldn't agree more. Here I am Mr. Google! Or maybe you could PM me the answer?
 
Richard Green
Ranch Hand
Posts: 536
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One other firefox extension that is worth mentioning is 'Tamper Data'. TamperData is an extension to track and modify http/https requests. It is really great for security testing your web applications.

I use it a lot for security testing my web applications. ie., I fill in a form with valid values and press submit. The client side validation occurs and it is happy with the values i entered, so it sends the HTTP request to the server. TamperData intercepts the request at this stage and it allows me to modify the request parameters. I modify the request parameters - put in invalid values and press submit.

Voila! Now the server side validation occurs and I get a nice little error message saying that I have entered incorrect values. My web application is secure.

P.S: I thought that the information above will be useful for security testing purposes. If the moderators believe that it violates the forum rules, then please edit my post.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Rusty Smythe:
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension. It is better to store a user-id (record number).


How would the webdev plugin help some view objects stored in session?
You do realize that the session object, and all objects bound to it, are stored on the server, right?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Timothy Sam:
Hmmmm... Yes, I couldn't agree more. Here I am Mr. Google! Or maybe you could PM me the answer?


First, please see:
http://faq.javaranch.com/view?UseTheForumNotEmail to see why we discourage technical conversations from going to PM or email.

Second, why are you so anxious to learn how to hack into someone's session?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic