• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Liutauras Vilda
  • Paul Clapham
Sheriffs:
  • paul wheaton
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Piet Souris
Bartenders:
  • Mike London

Session Security

 
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,
Following is my question:

A user logs into your application. Your application checks for the authentication from database.

User is a valid user. Now, Application sets the userId into session for session tracking.

session.setAttribute("userId",userId);

When the user does some database transaction, the application fetches the userId from session and inserts user values in database against that userId. For example:

String userId =(String) session.getAttribute(userId) ;

Dummy Database Table:
UserIdItemsPurchasedItemCode ItemDescription


If the authenticated user is a hacker, is it possible for him to change the userId in session while doing the transaction so that the transaction appears in somebody else name.

If this is possible, then how difficult it is and what are the security measures???

Thanks in Advance.
 
Ranch Hand
Posts: 266
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The userid set in session resides only in the server. The client will not have access to it. The client will have access only to the jsessionid cookie. And servers generate random values for jsessionid. So your approach looks fine. But if you are accepting the userid from the http request, then it will be a problem.
 
dimpsonu arora
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Santosh,

But i did not get what you mean by posting userid thourgh http request?

I am simply asking the user to login using a simple jsp page which runs on http.
http://localhost:8080/myApp/login

Once the user logs in, my application hits databasse. If he is an authenticated user, his userid is set into the session using following code.
session.setAttribute("userId", userId);

Please explain what do you mean by posting userid thourgh http request?

Do you mean that it is a problem if I am storing userid somewhere in hidden field and then making use of it. Or userid is a part of my url like http://localhost:8080/myApp/abc.jsp?userId=abc.

Please correct, if I have not understood it correctly.
 
Master Rancher
Posts: 43045
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You understood it perfectly :-) Doing it that way would be a problem, but since your code doesn't do that, all is fine.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic