Lorena Carlo wrote:
>
> Hello all, Thanks for the answers, but you haven't really answer me if it is
> dangerous to do this or not. The reason why I want to do this is for
> validating a user after he has accessed the program, I want him to re-enter
> the password for some operations, and I don't want to access again the
> database, so I want to validate it with the session variable.
>
AFIK, if you store it in a session variable, it never sees the outside
world, however, imho it's better to store some hashed version of the
password in the session and make the comparisons against this hashed
version than against the real password. Anyway, I wuld never store the
password directly in the database if you're really concerned with
security. Use something like a MD5 hash to store the password in the DB
and then store the hash in the session, but DONT USE COOKIES to pass the
password around. You might even want to store it in some bean using the
transient modifier so the hash does not get serialized when your bean
gets serialized, so if you have to check the user's passwordt and the
password == null yopu'd have to go to the db to retrieve it again.
sven
--
======================================================================================
Sven E. van 't Veer
http://www.cachoeiro.net
Java Developer [EMAIL PROTECTED]
======================================================================================
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
