security issue

Posted on 2005-04-10
Last Modified: 2011-09-20
I have a servlet that has the logged info in the URL.  How can I prevent the user's access to the logged in section of the site by simply changing logged=no to logged=yes?



Question by:vcgDevelopers
    LVL 9

    Expert Comment

    Add a Boolean into the user's session to state whether or not they have logged in.

    HttpSession session = request.getSession(); // Get the session from the request
    session.setAttribute("loggedIn", new Boolean(true)); // Set the attribute
    Boolean bool = (Boolean) request.getSession().getAttribute("loggedIn"); // Get the attribute
    LVL 9

    Expert Comment

    >Boolean bool = (Boolean) request.getSession().getAttribute("loggedIn"); // Get the attribute

    Should just be...

    Boolean bool = (Boolean) session.getAttribute("loggedIn");

    LVL 30

    Accepted Solution

    >> SectikonA?logged=no&SecID=30

    Is SecID something like a secure-ID which every user will use for logging in? Such things should not be kept as part of the request-URL because people can change it by typing anything in the browser. You should wrap it in an object and set it in the session:

    public class UserContext
      private string secId ;
      private string userId ;
    // etc

    UserContext currentContext = new UserContext () ;
    currentContext.setSecId ( 30 ) ; // or whatever
    currentContext.setUserName ( "...." ) ;
    session.setAttribute ( "User_Security_Context", currentContext ) ;

    You should check whether the user has logged in or not by verifiying if the current security context object is null or not.

    UserContext c = ( UserContext ) session.getAttribute ( "User_Security_Context" ) ;

    if ( c == null )
      -> not logged in
      -> logged in - obtain details like sec-ID, user-ID from the object 'c'.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    If you have upgraded to Java2 update 10 on a Microsoft Windows client, you may have discovered that your Java application does not work as it did before.  For example, the colors of your Java2D graphic may be all wrong for no apparent reason. Aft…
    INTRODUCTION Working with files is a moderately common task in Java.  For most projects hard coding the file names, using parameters in configuration files, or using command-line arguments is sufficient.   However, when your application has vi…
    Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
    This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now