Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / February 2006

Tip: Looking for answers? Try searching our database.

Session variable in JSP/servlet application

Thread view: 
Enable EMail AlertsStart New Thread
Steve Sobol - 14 Feb 2006 05:29 GMT
How secure is stuff stored in a JSP session using session.setAttribute() ?

I'm thinking, "not at all" - and that I need to encrypt sensitive
information like passwords if I'm storing it that way. But I could be wrong.

Signature

Steve Sobol, Professional Geek   888-480-4638   PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://SteveSobol.com/
E: sjsobol@JustThe.net Snail: 22674 Motnocab Road, Apple Valley, CA 92307

Reply to this Message
Vitamines - 14 Feb 2006 06:01 GMT
when set the sensitive information into a session,you'd better encrypt
it using md5,then it will be safe
Reply to this Message
Timo Stamm - 14 Feb 2006 11:53 GMT
Vitamines schrieb:
> when set the sensitive information into a session,you'd better encrypt
> it using md5,then it will be safe

This must be a joke. If you "encrypt" something with MD5, the
information itself is lost.

MD5 is a hashing algorithm, not an encryption algorithm.

Besides, Sessions reside on the server side, so it can be considered
safe under the assumption that client == unsafe and server == safe.

Timo
Reply to this Message
Roedy Green - 14 Feb 2006 16:51 GMT
>when set the sensitive information into a session,you'd better encrypt
>it using md5,then it will be safe

You can do a password digest with MD5 but not general encryption.

see http://mindprod.com/jgloss/encryption.html
http://mindprod.com/jgloss/md5.html
Signature

Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

Reply to this Message
inquisitive - 16 Feb 2006 04:17 GMT
hi
the basic ques was
" How secure is stuff stored in a JSP session using
session.setAttribute() ? "

try reading follwing link to know how secure it is

http://www.securiteam.com/securityreviews/5TP0F0UEVQ.html
Reply to this Message
Andrea Desole - 14 Feb 2006 09:09 GMT
> How secure is stuff stored in a JSP session using session.setAttribute() ?
>
> I'm thinking, "not at all" - and that I need to encrypt sensitive
> information like passwords if I'm storing it that way. But I could be wrong.

except a few cases (for example if you have to serialize the information
in your session) you shouldn't worry about it. Session information stays
on the server, and it's associated to the client request via the
jsessionid cookie
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.