What are the vulnerabilities of having session variables and userids in websphere.

Posted on 2006-06-06
Last Modified: 2013-12-10
What are the vulnerabilities of having session variables and userids in websphere.
Question by:sunilramu
    LVL 5

    Expert Comment

    Can you be more specific ?

    Are you asking the vulnerability of keeping the user id in the session ?

    I do not see any problem keeping the user Id in the session and DO NOT suggest keeping the password.

    Author Comment

    Is there any way of hacking into the session objects in the app-server. That is our primary concern. we keep some role-based authentication information in there and my concern is that if you can hack into this and steal a session employee object it will be an opening for an imposter.

    LVL 5

    Accepted Solution

    WebSphere manages secured and un secured sessions separately. The session object created from the secure page is not accessible from the unsecured pages.

    Although  I do not see any problem by putting the role information in the session, I would rather keep an identifier for the user in the session and manage the data separately.

    Expert Comment

    You have a choice between security and performance.
    If you only keep a User identifier in the sesison then every user request will need to trigger an authorization check against whatever store you keep the roles in (LDAP, RDBMS).

    Alternatively upon login you fetch the role sonce upon login and keep them in the session.
    You main threat vector is somehow compromising that within the JVM.

    Session hijacking outside of the JVM remains a threta for both scenarios.
    LVL 5

    Expert Comment

    My suggestion should help the original poster.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    -Xmx and -Xms are the two JVM options often used to tune JVM heap size.   Here are some common mistakes made when using them:   Assume BigApp is a java class file for the below examples. 1.         Missing m, M, g or G at the end …
    This exercise is about for the following scenario: Dmgr and One node with 2 application server. Each application server contains it owns application. Application server name as follows server1 contains app1 server2 contains app1 Prereq…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now