unsubscribe

Robert Fang Sun, 10 Dec 2000 16:43:04 -0800
unsubscribe
--- Steven Owens <[EMAIL PROTECTED]> wrote:
> > On Fri, 20 Oct 2000, Lorena Carlo wrote:
> > > Can somebody tell me if there is a risk in
> declaring a session
> > > variable that contains passwords?.
> >
> > Ask yourself why you need to. People usually store
> them encrypted in
> > cookies.
>
>      Back before JSP and the servlet spec became
> popular, the session
> variables were often called server-side cookies.  If
> you can be sure
> that the mechanism that keeps the variables isn't
> going to be exposed
> to the outside world, then it's relatively safe for
> use in
> trivial-security circumstances.  I suspect Lorena
> meant something like
> this.  However, if the storage mechanism is
> relatively secure, then
> why bother storing the password?  Why not just store
> the
> logged-in=true that somebody suggested?
>
>      In more secure settings, what is often done is:
> the server side
> generates an encrypted temporary serial number that
> it hands to the
> browser (under SSL in any event, but).  The server
> side keeps track of
> this info with a session variable with a short (5-10
> minutes) timeout
> that is refreshed with each request that comes in.
> This helps to
> narrow the possible window of vulnerability if the
> user walks away
> from the machine without shutting down the browser.
>
>      Of course this *still* isn't very secure, but
> then again nothing
> taking place over a browser really is....
>
> Steven J. Owens
> [EMAIL PROTECTED]
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with
> body: "signoff JSP-INTEREST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
>  http://java.sun.com/products/jsp/faq.html
>  http://www.esperanto.org.nz/jsp/jspfaq.html
>  http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets


__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:

 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.html
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
unsubscribe

Reply via email to
