File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Session vs DB stored values Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session vs DB stored values" Watch "Session vs DB stored values" New topic
Author

Session vs DB stored values

Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
I have feature that enable users to change their password. Their password is stored in a session-scoped variable upon login and I use this to compare their new password to the older one. Is this a good idea? Or should I be getting the old password, the one that is stored in the database? Thanks!


SCJP 1.5
http://devpinoy.org/blogs/lamia/ - http://everypesocounts.com/
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10202
    
166

Here's my thought - Consider the following case:

1) UserA logs in with password ABC from a browser. You store the password in the Session
2) UserA(the same user) logs in from one more browser.
3) UserA changes password to XYZ from browser1. You compare the old password from the Session and then save the new password in the database.
4) UserA tries to change password *from browser2*. You check the old password in the Session(which is still maintained as ABC even though the password has changed to XYZ) - This is NOT what you would want to happen.

So its better, you retrieve the old password from database for doing a check when the password is being changed


[My Blog] [JavaRanch Journal]
Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
Thank you very much. I too, thought saving retrieving from DB would be a better solution. Thanks!
Rusty Smythe
Ranch Hand

Joined: Aug 09, 2006
Posts: 93

Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension. It is better to store a user-id (record number).

When the user wants to change his/her password, I suggest you ask them for current password along with new password. If current doesn't == password in database, then fail.

Also, consider encrypting all database passwords with a one-way hash to prevent someone from reading your DB directly and getting the passwords that way.
Richard Green
Ranch Hand

Joined: Aug 25, 2005
Posts: 536
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension.

Can you please tell me how? As far as i know, this extension allows you to see the cookies only (not the session attributes)


MCSD, SCJP, SCWCD, SCBCD, SCJD (in progress - URLybird 1.2.1)
Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
Yeah, please tell us how please... Thank you.
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15299
    
    6

I'd prefer , if it is possible, for that information not to be told. Sure, you can probably go google that information pretty easily, but I'd prefer it if JavaRanch would stay away from providing hacking information.

Thanks.


GenRocket - Experts at Building Test Data
Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
Hmmmm... Yes, I couldn't agree more. Here I am Mr. Google! Or maybe you could PM me the answer?
Richard Green
Ranch Hand

Joined: Aug 25, 2005
Posts: 536
One other firefox extension that is worth mentioning is 'Tamper Data'. TamperData is an extension to track and modify http/https requests. It is really great for security testing your web applications.

I use it a lot for security testing my web applications. ie., I fill in a form with valid values and press submit. The client side validation occurs and it is happy with the values i entered, so it sends the HTTP request to the server. TamperData intercepts the request at this stage and it allows me to modify the request parameters. I modify the request parameters - put in invalid values and press submit.

Voila! Now the server side validation occurs and I get a nice little error message saying that I have entered incorrect values. My web application is secure.

P.S: I thought that the information above will be useful for security testing purposes. If the moderators believe that it violates the forum rules, then please edit my post.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Rusty Smythe:
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension. It is better to store a user-id (record number).


How would the webdev plugin help some view objects stored in session?
You do realize that the session object, and all objects bound to it, are stored on the server, right?


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Timothy Sam:
Hmmmm... Yes, I couldn't agree more. Here I am Mr. Google! Or maybe you could PM me the answer?


First, please see:
http://faq.javaranch.com/view?UseTheForumNotEmail to see why we discourage technical conversations from going to PM or email.

Second, why are you so anxious to learn how to hack into someone's session?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session vs DB stored values