Link to home
Start Free TrialLog in
Avatar of vcgDevelopers
vcgDevelopers

asked on

security issue

I have a servlet that has the logged info in the URL.  How can I prevent the user's access to the logged in section of the site by simply changing logged=no to logged=yes?

ie

SectikonA?logged=no&SecID=30

Avatar of OBCT
OBCT

Add a Boolean into the user's session to state whether or not they have logged in.

E.g.
HttpSession session = request.getSession(); // Get the session from the request
session.setAttribute("loggedIn", new Boolean(true)); // Set the attribute
Boolean bool = (Boolean) request.getSession().getAttribute("loggedIn"); // Get the attribute
>Boolean bool = (Boolean) request.getSession().getAttribute("loggedIn"); // Get the attribute

Should just be...

Boolean bool = (Boolean) session.getAttribute("loggedIn");

:-)
ASKER CERTIFIED SOLUTION
Avatar of Mayank S
Mayank S
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial