security issue

I have a servlet that has the logged info in the URL.  How can I prevent the user's access to the logged in section of the site by simply changing logged=no to logged=yes?



Who is Participating?
Mayank SConnect With a Mentor Associate Director - Product EngineeringCommented:
>> SectikonA?logged=no&SecID=30

Is SecID something like a secure-ID which every user will use for logging in? Such things should not be kept as part of the request-URL because people can change it by typing anything in the browser. You should wrap it in an object and set it in the session:

public class UserContext
  private string secId ;
  private string userId ;
// etc

UserContext currentContext = new UserContext () ;
currentContext.setSecId ( 30 ) ; // or whatever
currentContext.setUserName ( "...." ) ;
session.setAttribute ( "User_Security_Context", currentContext ) ;

You should check whether the user has logged in or not by verifiying if the current security context object is null or not.

UserContext c = ( UserContext ) session.getAttribute ( "User_Security_Context" ) ;

if ( c == null )
  -> not logged in
  -> logged in - obtain details like sec-ID, user-ID from the object 'c'.
Add a Boolean into the user's session to state whether or not they have logged in.

HttpSession session = request.getSession(); // Get the session from the request
session.setAttribute("loggedIn", new Boolean(true)); // Set the attribute
Boolean bool = (Boolean) request.getSession().getAttribute("loggedIn"); // Get the attribute
>Boolean bool = (Boolean) request.getSession().getAttribute("loggedIn"); // Get the attribute

Should just be...

Boolean bool = (Boolean) session.getAttribute("loggedIn");

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.