Loading...

user@struts.apache.org

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It [EMAIL PROTECTED] Mon Feb 27 12:00:21 2012

I appreciate your comments, but what I'd like to accomplish is what
instructions should we provide in our tutorial on using the SessionAware
interface in order to best mitigate the security vulnerabilities introduced
when using SessionAware given how the Struts 2 framework works today.

I don't think using only immutable objects in the session reduces the
vulnerability.  String is immutable, but as I understand the security
vulnerability of using SessionAware, a hacker could change the String value
I've stored in the session.

When using SessionAware what do experienced Struts 2 developers do to reduce
as much as possible the vulnerability identified in my original post?  I'd
like to include these practices in the SessionAware tutorial.

Thank you for the feedback.



--
View this message in context: 
http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5519824.html
Sent from the Struts - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]