Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

What are the vulnerabilities of having session variables and userids in websphere.

Posted on 2006-06-06
8
Medium Priority
?
371 Views
Last Modified: 2013-12-10
What are the vulnerabilities of having session variables and userids in websphere.
0
Comment
Question by:sunilramu
  • 3
5 Comments
 
LVL 5

Expert Comment

by:Waswiz
ID: 16865638
Can you be more specific ?

Are you asking the vulnerability of keeping the user id in the session ?

I do not see any problem keeping the user Id in the session and DO NOT suggest keeping the password.
0
 

Author Comment

by:sunilramu
ID: 16869993
Is there any way of hacking into the session objects in the app-server. That is our primary concern. we keep some role-based authentication information in there and my concern is that if you can hack into this and steal a session employee object it will be an opening for an imposter.

thanks
sunil
0
 
LVL 5

Accepted Solution

by:
Waswiz earned 2000 total points
ID: 16872141
WebSphere manages secured and un secured sessions separately. The session object created from the secure page is not accessible from the unsecured pages.

Although  I do not see any problem by putting the role information in the session, I would rather keep an identifier for the user in the session and manage the data separately.
0
 

Expert Comment

by:kgilchrist
ID: 17429120
You have a choice between security and performance.
If you only keep a User identifier in the sesison then every user request will need to trigger an authorization check against whatever store you keep the roles in (LDAP, RDBMS).

Alternatively upon login you fetch the role sonce upon login and keep them in the session.
You main threat vector is somehow compromising that within the JVM.

Session hijacking outside of the JVM remains a threta for both scenarios.
0
 
LVL 5

Expert Comment

by:Waswiz
ID: 17621653
My suggestion should help the original poster.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

-Xmx and -Xms are the two JVM options often used to tune JVM heap size.   Here are some common mistakes made when using them:   Assume BigApp is a java class file for the below examples. 1.         Missing m, M, g or G at the end …
Upgrading Tomcat – There are a couple of methods to upgrade Tomcat is to use The Apache Installer is to download and unzip and run the services.bat remove|install Tomcat6 Because of the App that we are working with, we can only use Tomcat 6.…
Integration Management Part 2
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question