WebApps: how secure is this method?

Toggle sidebar Toggle sidebar
B

Borealis7

Platinum Member
Oct 19, 2006
2,901
205
106
Hi All, your friendly JAVA Web Application developer here with a question.

i'm trying to develop a "homegrown" HTTP Servlet based architecture ( i know there's many open source ones available) as a side project and i had this idea as a log-in/security mechanism:

on user log-in: store the HTTP Session ID in a list and save it in the Application scope ("above" the session, all server side of course). if ID is already in the list, return to log-in page (don't allow double log-ins)

on every "Submit" (HTTP request to the server) check the request's Session ID against the list. proceed if found, otherwise throw out to log-in page (disregard the performance hit, its not the issue here)

on log-out or time-out: remove the ID from the list.

the idea is to stop a hacker from just writing in the URL of a page in the application and getting access to the data, and doing it without session cookies which can be manipulated on the client side.

obviously, i take the session ID from the HTTPRequest object itself and not from a GET/POST parameter as a measure against HTTP Watchers who could easily paste the session ID in the URL line or whatever.

is this easily breakable?
 
Last edited:
Crusty

Crusty

Lifer
Sep 30, 2001
12,684
2
81
If the client doesn't use a cookie and the session ID is not stored in the query string how exactly does the server know which request belongs to which client?

Also, using a list to store the set of active session is a bad idea. As your active session count grows the time to do a lookup grows linearly, you're much better off using a map.
 
B

Borealis7

Platinum Member
Oct 19, 2006
2,901
205
106
i know the performance is bad, but its not what i'm interested in. i could alternatively store them in a DB table or something...

the server gets the session ID from the HTTPRequest object which has a pointer to its "father" session, the HTTPSession object, and the session object has a string member for the session ID. that's not a problem.

IIRC, the browser gets the session ID from the application the first time they make contact and the session is created. afterwards the browser attaches the session ID to the Request object each time a new request is created so there is no way for the hacker to intervene.
 
Crusty

Crusty

Lifer
Sep 30, 2001
12,684
2
81
Borealis7 said:
i know the performance is bad, but its not what i'm interested in. i could alternatively store them in a DB table or something...

the server gets the session ID from the HTTPRequest object which has a pointer to its "father" session, the HTTPSession object, and the session object has a string member for the session ID. that's not a problem.

IIRC, the browser gets the session ID from the application the first time they make contact and the session is created. afterwards the browser attaches the session ID to the Request object each time a new request is created so there is no way for the hacker to intervene.
Click to expand...

How do you think the clients are storing the session data? They are using a cookie to store the session ID, which then gets put into the headers and sent along with your HTTP request.

Maybe I'm confused as to what you are trying to do though... are you trying to create your own Java Servlet API to host your own code or are you just writing the applets?
 
B

Borealis7

Platinum Member
Oct 19, 2006
2,901
205
106
i'm trying to make a servlet wrapper which would be a base class for other classes to inherit from. this base class would implement the security features so that every request goes through validation. it would have one abstract method in which every servlet will implement its own logic.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom