[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

security issue

Posted on 2005-04-10
3
Medium Priority
?
141 Views
Last Modified: 2011-09-20
I have a servlet that has the logged info in the URL.  How can I prevent the user's access to the logged in section of the site by simply changing logged=no to logged=yes?

ie

SectikonA?logged=no&SecID=30

0
Comment
Question by:vcgDevelopers
  • 2
3 Comments
 
LVL 9

Expert Comment

by:OBCT
ID: 13750254
Add a Boolean into the user's session to state whether or not they have logged in.

E.g.
HttpSession session = request.getSession(); // Get the session from the request
session.setAttribute("loggedIn", new Boolean(true)); // Set the attribute
Boolean bool = (Boolean) request.getSession().getAttribute("loggedIn"); // Get the attribute
0
 
LVL 9

Expert Comment

by:OBCT
ID: 13750257
>Boolean bool = (Boolean) request.getSession().getAttribute("loggedIn"); // Get the attribute

Should just be...

Boolean bool = (Boolean) session.getAttribute("loggedIn");

:-)
0
 
LVL 30

Accepted Solution

by:
Mayank S earned 2000 total points
ID: 13750570
>> SectikonA?logged=no&SecID=30

Is SecID something like a secure-ID which every user will use for logging in? Such things should not be kept as part of the request-URL because people can change it by typing anything in the browser. You should wrap it in an object and set it in the session:

public class UserContext
{
  private string secId ;
  private string userId ;
// etc
}

UserContext currentContext = new UserContext () ;
currentContext.setSecId ( 30 ) ; // or whatever
currentContext.setUserName ( "...." ) ;
session.setAttribute ( "User_Security_Context", currentContext ) ;

You should check whether the user has logged in or not by verifiying if the current security context object is null or not.

UserContext c = ( UserContext ) session.getAttribute ( "User_Security_Context" ) ;

if ( c == null )
  -> not logged in
else
  -> logged in - obtain details like sec-ID, user-ID from the object 'c'.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java had always been an easily readable and understandable language.  Some relatively recent changes in the language seem to be changing this pretty fast, and anyone that had not seen any Java code for the last 5 years will possibly have issues unde…
Are you developing a Java application and want to create Excel Spreadsheets? You have come to the right place, this article will describe how you can create Excel Spreadsheets from a Java Application. For the purposes of this article, I will be u…
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
This video teaches viewers about errors in exception handling.
Suggested Courses
Course of the Month20 days, 14 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question