 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / May 2005Struts - Session objects
If I store an object in the session, is there any possibility the user could change attributes of this objects? For example by changing cookie content? Where is the session objects info stored?  Signature"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken > If I store an object in the session, is there any possibility the user > could change attributes of this objects? Well... consider a Struts form bean sitting in session scope. The user submits a form, and the Struts framework populates the form bean with values from the request. You could say that the user has changed the attributes of the form bean. I imagine that's not what you mean, however. What, exactly, are you concerned about? (Despite your subject line and my example, sessions don't really have anything to do with Struts.) > Where is the session objects info stored? That's container-specific. Possibly in memory as some flavor of Map, but there's nothing in the Servlet Specification that says one way or another. Speaking of, the Servlet Specification sets out 'the rules' that your container must follow. It's a good idea to at least skim it so you know what's in there. http://java.sun.com/products/servlet/reference/api/index.html#specs SignatureWendy Smoak >> If I store an object in the session, is there any possibility the user >> could change attributes of this objects? [quoted text clipped - 4 lines] > the form bean. I imagine that's not what you mean, however. What, exactly, > are you concerned about? An accountForm AccountBean is associated with an action Login. When a user logs in, I want to store his username in a session object. So that whenever he performs an action, for example editAccount.do, this action checks the username from the accountForm with the username in the session object. I don't want the user to be able to do editAccountForm.do?username=otheruser . Signature"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken > An accountForm AccountBean is associated with an action Login. When a > user logs in, I want to store his username in a session object. So that > whenever he performs an action, for example editAccount.do, this action > checks the username from the accountForm with the username in the session > object. I don't want the user to be able to do > editAccountForm.do?username=otheruser . Sounds like you're on the right track. The separate object that you store in the session won't be affected by request params. SignatureWendy Smoak >> An accountForm AccountBean is associated with an action Login. When a >> user logs in, I want to store his username in a session object. So that [quoted text clipped - 5 lines] > Sounds like you're on the right track. The separate object that you store > in the session won't be affected by request params. That was actually my question from the start. :) You've already been a great help to me the last few days. As you've probably already guessed, I'm a complete and utter Java/webapplication newbie. Signature"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken >>>If I store an object in the session, is there any possibility the user >>>could change attributes of this objects? [quoted text clipped - 11 lines] > object. I don't want the user to be able to do > editAccountForm.do?username=otheruser . If you are using container (weblogic/websphere/tomcat etc.) for authentication, you really should get the user name from request using the API. Use request.getUserPrincipal() .. >> An accountForm AccountBean is associated with an action Login. When a >> user logs in, I want to store his username in a session object. So that [quoted text clipped - 6 lines] > authentication, you really should get the user name from request using > the API. Use request.getUserPrincipal() .. I just store an AuthenticatedUser object in the session when a user logs in. Then, I use a ServletFilter to check wether the accountBean has the same username as the object stored in the session. How would this be done using the container? And why is it better? Some links? Signature"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.