File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Is session security enough? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Is session security enough?" Watch "Is session security enough?" New topic

Is session security enough?

Mark Reyes
Ranch Hand

Joined: Jul 09, 2007
Posts: 426
For this particular case, this is something that would be much better handled by a filter rather than within the servlets themselves

Hi Bear and Peter, I dont mean to hijack this thread but I have exactly the same case as what Peter wants to do. In my case, I already setup a filter to trap all incoming HTTP request.
Check for a principal in the session and set the Authorization scheme on the session (User is Admin/Guest/etc..).

I cant help but think that this is a good security scheme. My question is, are putting user authorization/authentication scheme on session considered 'secure-enough?' and there's no way of others being able to check its value since session runs on the server side? Thanks

Sean Clark ---> I love this place!!!
Me ------> I definitely love this place!!!
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63869

Split off this thread hijack into its own topic. Please start new topics for your own questions.

[Asking smart questions] [About Bear] [Books by Bear]
I agree. Here's the link:
subject: Is session security enough?
jQuery in Action, 3rd edition