Re: Configuring Struts NOT to create (unauthentified) sessions
Here is what I need to do to avoid creating session before the user has been authentificated : . add %@ page session=false % to the JSP used by my login tile definition (layout tiles) = requesting login.jsp doesn't create a session . set controller locale=false in struts-config.xml . set validate=false for the login action (. set scope=requet for the login action) = requesting login.do doesn't create a session until I create it myself when authentification has succeded (or some action-mapping has scope=session). Thank you all for help. Nico. Quoting Nicolas De Loof [EMAIL PROTECTED]: I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' : RequestProcessor uses request.getSession() : - in processLocale if controller is configured to use Locale (default = true) HTMLTag uses request.getSession() : - in currentLocale() : if any JSP uses html:html a session is created ! o.a.s.validator.Ressouces uses request.getSession() : - in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created Isn't they're any way NOT to create a session for a user that hasn't been authentified ? Nico. Besides the places where Struts itself creates a session, if you're using JSP you should be aware that every JSP page will create a session unless you tell it not to: %@ page session=false % Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring Struts NOT to create (unauthentified) sessions
Hi Nicolas Glad you figured it out, and thanks for sharing it, with the rest of us. Peace, Henrik - Original Message - From: Nicolas De Loof [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, January 09, 2004 9:41 AM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Here is what I need to do to avoid creating session before the user has been authentificated : . add %@ page session=false % to the JSP used by my login tile definition (layout tiles) = requesting login.jsp doesn't create a session . set controller locale=false in struts-config.xml . set validate=false for the login action (. set scope=requet for the login action) = requesting login.do doesn't create a session until I create it myself when authentification has succeded (or some action-mapping has scope=session). Thank you all for help. Nico. Quoting Nicolas De Loof [EMAIL PROTECTED]: I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' : RequestProcessor uses request.getSession() : - in processLocale if controller is configured to use Locale (default = true) HTMLTag uses request.getSession() : - in currentLocale() : if any JSP uses html:html a session is created ! o.a.s.validator.Ressouces uses request.getSession() : - in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created Isn't they're any way NOT to create a session for a user that hasn't been authentified ? Nico. Besides the places where Struts itself creates a session, if you're using JSP you should be aware that every JSP page will create a session unless you tell it not to: %@ page session=false % Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring Struts NOT to create (unauthentified) sessions
I just woud have some more info from Struts/J2EE masters : Is this on-unauthentified-uri-session-is-created scenario a possible DOS attack ? Nico. Hi Nicolas Glad you figured it out, and thanks for sharing it, with the rest of us. Peace, Henrik - Original Message - From: Nicolas De Loof [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, January 09, 2004 9:41 AM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Here is what I need to do to avoid creating session before the user has been authentificated : . add %@ page session=false % to the JSP used by my login tile definition (layout tiles) = requesting login.jsp doesn't create a session . set controller locale=false in struts-config.xml . set validate=false for the login action (. set scope=requet for the login action) = requesting login.do doesn't create a session until I create it myself when authentification has succeded (or some action-mapping has scope=session). Thank you all for help. Nico. Quoting Nicolas De Loof [EMAIL PROTECTED]: I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' : RequestProcessor uses request.getSession() : - in processLocale if controller is configured to use Locale (default = true) HTMLTag uses request.getSession() : - in currentLocale() : if any JSP uses html:html a session is created ! o.a.s.validator.Ressouces uses request.getSession() : - in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created Isn't they're any way NOT to create a session for a user that hasn't been authentified ? Nico. Besides the places where Struts itself creates a session, if you're using JSP you should be aware that every JSP page will create a session unless you tell it not to: %@ page session=false % Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Configuring Struts NOT to create (unauthentified) sessions
Hi All, I have a somewhat similar problem. In my application,I have a UserSessionListener class that implements the HttpSessionListener interface. I have to create a stateful session EJB in the sessionCreated() method of my UserSessionListener remove() the same stateful session EJB in the sessionDestroyed() method of my UserSessionListener. Right now, I am using a simple login jsp that maps to a LoginAction class where a simple authentication check is made against some hardcoded username/password values depending on the authentication, the forward is to a success/error jsp. [Later on, I shall be incorporating FORM based authentication in conjunction with OiD.] My problem is that the (unauthenticated) session is created whenever the user hits the login page this invokes the sessionCreated() method in my UserSessionListener which creates the stateful session EJB even though the user is not yet authenticated. How do i avoid this force the creation of the session only after authenticating the user? Or is there any workaround for this? Thanks. Sanjay -Original Message- From: Nicolas De Loof [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 2:30 PM To: Struts Users Mailing List Subject: Configuring Struts NOT to create (unauthentified) sessions Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope=session) ? Doesn't the locale default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called Deny Of Service ?) Nico. This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst Young Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring Struts NOT to create (unauthentified) sessions
Nicolas. I perhaps don't understand you. but (!) The locale attribut has nothing to do with creating sessions! The locale attribute tells struts to save a Locale-Object in the session, if there is nothing stored. Manfred Nicolas De Loof wrote: Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope=session) ? Doesn't the locale default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called Deny Of Service ?) Nico. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Dipl.-Inf. Manfred Wolff --- phone neusta : +49 421 20696-27 phone : +49 421 534522 mobil : +49 178 49 18 434 eFax : +49 1212 6 626 63 965 33 --- Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring Struts NOT to create (unauthentified) sessions
Hi Manfred I think Nicolas is trying to find all places where Struts manipulates the session in some way.. Locale=True does indeed manipulate the session..thus resulting in the session being created, if not already there. When no one (action, object, tag, whatever) has requested attributes to be stored in the session, no session object will exist..Session info (cookie, URL rewriting, etc) is only created if there are attributes on the Session object. Am I correct on this one?? I don't understand WHY Nicolas does not want the session to be created...Is it because of memory usage...denial of service attacks...? Maybe, I don't understand, Nicolas, too...but it did gave my few pennies away :-) Regards Henrik - Original Message - From: Manfred Wolff [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 08, 2004 3:22 PM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Nicolas. I perhaps don't understand you. but (!) The locale attribut has nothing to do with creating sessions! The locale attribute tells struts to save a Locale-Object in the session, if there is nothing stored. Manfred Nicolas De Loof wrote: Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope=session) ? Doesn't the locale default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called Deny Of Service ?) Nico. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Dipl.-Inf. Manfred Wolff --- phone neusta : +49 421 20696-27 phone : +49 421 534522 mobil : +49 178 49 18 434 eFax : +49 1212 6 626 63 965 33 --- Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring Struts NOT to create (unauthentified) sessions
HG. I _don't_ think you are right. A session object exsists with and without struts. The documentation says: -- The Hypertext Transfer Protocol (HTTP) is by design a stateless protocol. To build effective web applications, it is imperative that requests from a particular client be associated with each other. Many strategies for session tracking have evolved over time, but all are difficult or troublesome for the programmer to use directly. This specification defines a simple HttpSession interface that allows a servlet container to use any of several approaches to track a users session without involving the Application Developer in the nuances of any one approach. -- The session is more than the attributes, struts can put into it ;-) Manfred HG wrote: Hi Manfred I think Nicolas is trying to find all places where Struts manipulates the session in some way.. Locale=True does indeed manipulate the session..thus resulting in the session being created, if not already there. When no one (action, object, tag, whatever) has requested attributes to be stored in the session, no session object will exist..Session info (cookie, URL rewriting, etc) is only created if there are attributes on the Session object. Am I correct on this one?? I don't understand WHY Nicolas does not want the session to be created...Is it because of memory usage...denial of service attacks...? Maybe, I don't understand, Nicolas, too...but it did gave my few pennies away :-) Regards Henrik - Original Message - From: Manfred Wolff [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 08, 2004 3:22 PM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Nicolas. I perhaps don't understand you. but (!) The locale attribut has nothing to do with creating sessions! The locale attribute tells struts to save a Locale-Object in the session, if there is nothing stored. Manfred Nicolas De Loof wrote: Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope=session) ? Doesn't the locale default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called Deny Of Service ?) Nico. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Dipl.-Inf. Manfred Wolff --- phone neusta : +49 421 20696-27 phone : +49 421 534522 mobil : +49 178 49 18 434 eFax : +49 1212 6 626 63 965 33 --- Diese E-Mail enthlt mglicherweise vertrauliche und/oder rechtlich geschtzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtmlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Dipl.-Inf. Manfred Wolff --- phone neusta : +49 421 20696-27 phone : +49 421 534522 mobil : +49 178 49 18 434 eFax : +49 1212 6 626 63 965 33 --- Diese E-Mail enthlt mglicherweise vertrauliche und/oder rechtlich geschtzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtmlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure
Re: Configuring Struts NOT to create (unauthentified) sessions
This is exactly what I'm looking for. For some of the applications I'm working on, my customers are paranoiac about security. I think that if a unauthentified user is able to create a session on the server, it can expose the server to DOS attack, because every created session will use some memory. It is realy simple to write a client that sends hundred of request to the server. If a session is created on each request, server will quickly be out of memory (Session object + stored objects (Locale) size). If a session is created only for authentified users, server will survive such (simple) attack. Perhaps I'm wrong about this, if this scenario is stupid please tell me. For example, I've seen that RequestUtils.retrieveUserLocale() uses request scope if no session exists. This way, no session is created when displaying a login JSP that uses i18n. With locale=true (default) a new session is created when ActionServlet process a request. We need to set it to false to control session creation. I want to know if they're is other Struts properties to set to avoid creating new session for non-authentified user. Nico. Hi Manfred I think Nicolas is trying to find all places where Struts manipulates the session in some way.. Locale=True does indeed manipulate the session..thus resulting in the session being created, if not already there. When no one (action, object, tag, whatever) has requested attributes to be stored in the session, no session object will exist..Session info (cookie, URL rewriting, etc) is only created if there are attributes on the Session object. Am I correct on this one?? I don't understand WHY Nicolas does not want the session to be created...Is it because of memory usage...denial of service attacks...? Maybe, I don't understand, Nicolas, too...but it did gave my few pennies away :-) Regards Henrik - Original Message - From: Manfred Wolff [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 08, 2004 3:22 PM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Nicolas. I perhaps don't understand you. but (!) The locale attribut has nothing to do with creating sessions! The locale attribute tells struts to save a Locale-Object in the session, if there is nothing stored. Manfred Nicolas De Loof wrote: Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope=session) ? Doesn't the locale default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called Deny Of Service ?) Nico. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Dipl.-Inf. Manfred Wolff --- phone neusta : +49 421 20696-27 phone : +49 421 534522 mobil : +49 178 49 18 434 eFax : +49 1212 6 626 63 965 33 --- Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring Struts NOT to create (unauthentified) sessions
A session CONTEXT is created when some code uses request.getSession() or request.getSession(true) session tracking (using coockie or URL rewriting) is used keep association between user and contexte. Session tracking mecanism use a random number generator but doesn't use memory to store some data until a CONTEXT is created. Nico. HG. I _don't_ think you are right. A session object exsists with and without struts. The documentation says: -- The Hypertext Transfer Protocol (HTTP) is by design a stateless protocol. To build effective web applications, it is imperative that requests from a particular client be associated with each other. Many strategies for session tracking have evolved over time, but all are difficult or troublesome for the programmer to use directly. This specification defines a simple HttpSession interface that allows a servlet container to use any of several approaches to track a users session without involving the Application Developer in the nuances of any one approach. -- The session is more than the attributes, struts can put into it ;-) Manfred HG wrote: Hi Manfred I think Nicolas is trying to find all places where Struts manipulates the session in some way.. Locale=True does indeed manipulate the session..thus resulting in the session being created, if not already there. When no one (action, object, tag, whatever) has requested attributes to be stored in the session, no session object will exist..Session info (cookie, URL rewriting, etc) is only created if there are attributes on the Session object. Am I correct on this one?? I don't understand WHY Nicolas does not want the session to be created...Is it because of memory usage...denial of service attacks...? Maybe, I don't understand, Nicolas, too...but it did gave my few pennies away :-) Regards Henrik - Original Message - From: Manfred Wolff [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 08, 2004 3:22 PM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Nicolas. I perhaps don't understand you. but (!) The locale attribut has nothing to do with creating sessions! The locale attribute tells struts to save a Locale-Object in the session, if there is nothing stored. Manfred Nicolas De Loof wrote: Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope=session) ? Doesn't the locale default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called Deny Of Service ?) Nico. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Dipl.-Inf. Manfred Wolff --- phone neusta : +49 421 20696-27 phone : +49 421 534522 mobil : +49 178 49 18 434 eFax : +49 1212 6 626 63 965 33 --- Diese E-Mail enthlt mglicherweise vertrauliche und/oder rechtlich geschtzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtmlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Dipl.-Inf. Manfred Wolff --- phone neusta : +49 421 20696-27 phone : +49 421 534522 mobil : +49 178 49 18 434 eFax : +49 1212 6 626 63 965 33 --- Diese E-Mail enthlt mglicherweise vertrauliche und/oder rechtlich geschtzte Informationen. Wenn Sie nicht der richtige Adressat sind
Re: Configuring Struts NOT to create (unauthentified) sessions
I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' : RequestProcessor uses request.getSession() : - in processLocale if controller is configured to use Locale (default = true) HTMLTag uses request.getSession() : - in currentLocale() : if any JSP uses html:html a session is created ! o.a.s.validator.Ressouces uses request.getSession() : - in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created Isn't they're any way NOT to create a session for a user that hasn't been authentified ? Nico. This is exactly what I'm looking for. For some of the applications I'm working on, my customers are paranoiac about security. I think that if a unauthentified user is able to create a session on the server, it can expose the server to DOS attack, because every created session will use some memory. It is realy simple to write a client that sends hundred of request to the server. If a session is created on each request, server will quickly be out of memory (Session object + stored objects (Locale) size). If a session is created only for authentified users, server will survive such (simple) attack. Perhaps I'm wrong about this, if this scenario is stupid please tell me. For example, I've seen that RequestUtils.retrieveUserLocale() uses request scope if no session exists. This way, no session is created when displaying a login JSP that uses i18n. With locale=true (default) a new session is created when ActionServlet process a request. We need to set it to false to control session creation. I want to know if they're is other Struts properties to set to avoid creating new session for non-authentified user. Nico. Hi Manfred I think Nicolas is trying to find all places where Struts manipulates the session in some way.. Locale=True does indeed manipulate the session..thus resulting in the session being created, if not already there. When no one (action, object, tag, whatever) has requested attributes to be stored in the session, no session object will exist..Session info (cookie, URL rewriting, etc) is only created if there are attributes on the Session object. Am I correct on this one?? I don't understand WHY Nicolas does not want the session to be created...Is it because of memory usage...denial of service attacks...? Maybe, I don't understand, Nicolas, too...but it did gave my few pennies away :-) Regards Henrik - Original Message - From: Manfred Wolff [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 08, 2004 3:22 PM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Nicolas. I perhaps don't understand you. but (!) The locale attribut has nothing to do with creating sessions! The locale attribute tells struts to save a Locale-Object in the session, if there is nothing stored. Manfred Nicolas De Loof wrote: Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope=session) ? Doesn't the locale default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called Deny Of Service ?) Nico. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Dipl.-Inf. Manfred Wolff --- phone neusta : +49 421 20696-27 phone : +49 421 534522 mobil : +49 178 49 18 434 eFax : +49 1212 6 626 63 965 33 --- Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. - To unsubscribe, e-mail: [EMAIL
Re: Configuring Struts NOT to create (unauthentified) sessions
How are you performing authentication? Depending on the process you're using, it may be possible to avoid hitting any of those conditions until after it's successful. P.S. By default, a JSP will create a session if one doesn't already exist (nothing to do with Struts), so any pages that can be hit by unauthenticated users should do: %@ page session=false % Quoting Nicolas De Loof [EMAIL PROTECTED]: I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' : RequestProcessor uses request.getSession() : - in processLocale if controller is configured to use Locale (default = true) HTMLTag uses request.getSession() : - in currentLocale() : if any JSP uses html:html a session is created ! o.a.s.validator.Ressouces uses request.getSession() : - in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created Isn't they're any way NOT to create a session for a user that hasn't been authentified ? Nico. This is exactly what I'm looking for. For some of the applications I'm working on, my customers are paranoiac about security. I think that if a unauthentified user is able to create a session on the server, it can expose the server to DOS attack, because every created session will use some memory. It is realy simple to write a client that sends hundred of request to the server. If a session is created on each request, server will quickly be out of memory (Session object + stored objects (Locale) size). If a session is created only for authentified users, server will survive such (simple) attack. Perhaps I'm wrong about this, if this scenario is stupid please tell me. For example, I've seen that RequestUtils.retrieveUserLocale() uses request scope if no session exists. This way, no session is created when displaying a login JSP that uses i18n. With locale=true (default) a new session is created when ActionServlet process a request. We need to set it to false to control session creation. I want to know if they're is other Struts properties to set to avoid creating new session for non-authentified user. Nico. Hi Manfred I think Nicolas is trying to find all places where Struts manipulates the session in some way.. Locale=True does indeed manipulate the session..thus resulting in the session being created, if not already there. When no one (action, object, tag, whatever) has requested attributes to be stored in the session, no session object will exist..Session info (cookie, URL rewriting, etc) is only created if there are attributes on the Session object. Am I correct on this one?? I don't understand WHY Nicolas does not want the session to be created...Is it because of memory usage...denial of service attacks...? Maybe, I don't understand, Nicolas, too...but it did gave my few pennies away :-) Regards Henrik - Original Message - From: Manfred Wolff [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 08, 2004 3:22 PM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Nicolas. I perhaps don't understand you. but (!) The locale attribut has nothing to do with creating sessions! The locale attribute tells struts to save a Locale-Object in the session, if there is nothing stored. Manfred Nicolas De Loof wrote: Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope=session) ? Doesn't the locale default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called Deny Of Service ?) Nico. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Dipl.-Inf. Manfred Wolff --- phone neusta : +49 421 20696-27 phone : +49 421 534522 mobil : +49 178 49 18 434 eFax : +49 1212 6 626 63 965 33 --- -- Kris Schneider mailto:[EMAIL PROTECTED] D.O.Tech http://www.dotech.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring Struts NOT to create (unauthentified) sessions
I would like to set my login JSP to have this directive (%@ page session=false %) and others ones to be in WEB-INF (not visible to users) I use an application specific authentification. I would like any user (friend or hacker) to get access to the (internationalized) login page, be able commit login form to /login.do, and use struts-validator to validate required inputs. For all this no session should be created. When user is authentified, access to other URIs of the applicaton are granted by a custom processRole. Nico. How are you performing authentication? Depending on the process you're using, it may be possible to avoid hitting any of those conditions until after it's successful. P.S. By default, a JSP will create a session if one doesn't already exist (nothing to do with Struts), so any pages that can be hit by unauthenticated users should do: %@ page session=false % Quoting Nicolas De Loof [EMAIL PROTECTED]: I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' : RequestProcessor uses request.getSession() : - in processLocale if controller is configured to use Locale (default = true) HTMLTag uses request.getSession() : - in currentLocale() : if any JSP uses html:html a session is created ! o.a.s.validator.Ressouces uses request.getSession() : - in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created Isn't they're any way NOT to create a session for a user that hasn't been authentified ? Nico. This is exactly what I'm looking for. For some of the applications I'm working on, my customers are paranoiac about security. I think that if a unauthentified user is able to create a session on the server, it can expose the server to DOS attack, because every created session will use some memory. It is realy simple to write a client that sends hundred of request to the server. If a session is created on each request, server will quickly be out of memory (Session object + stored objects (Locale) size). If a session is created only for authentified users, server will survive such (simple) attack. Perhaps I'm wrong about this, if this scenario is stupid please tell me. For example, I've seen that RequestUtils.retrieveUserLocale() uses request scope if no session exists. This way, no session is created when displaying a login JSP that uses i18n. With locale=true (default) a new session is created when ActionServlet process a request. We need to set it to false to control session creation. I want to know if they're is other Struts properties to set to avoid creating new session for non-authentified user. Nico. Hi Manfred I think Nicolas is trying to find all places where Struts manipulates the session in some way.. Locale=True does indeed manipulate the session..thus resulting in the session being created, if not already there. When no one (action, object, tag, whatever) has requested attributes to be stored in the session, no session object will exist..Session info (cookie, URL rewriting, etc) is only created if there are attributes on the Session object. Am I correct on this one?? I don't understand WHY Nicolas does not want the session to be created...Is it because of memory usage...denial of service attacks...? Maybe, I don't understand, Nicolas, too...but it did gave my few pennies away :-) Regards Henrik - Original Message - From: Manfred Wolff [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 08, 2004 3:22 PM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Nicolas. I perhaps don't understand you. but (!) The locale attribut has nothing to do with creating sessions! The locale attribute tells struts to save a Locale-Object in the session, if there is nothing stored. Manfred Nicolas De Loof wrote: Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope=session) ? Doesn't the locale default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called Deny Of Service ?) Nico. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: Configuring Struts NOT to create (unauthentified) sessions
It sounds like the real issue is validator usage (I'm assuming you can avoid the other features that cause session creation). How difficult would it be to do the login validation by hand? I expect you're just verifying that something like a user and password have been submitted (and maybe that they conform to some format). Quoting Nicolas De Loof [EMAIL PROTECTED]: I would like to set my login JSP to have this directive (%@ page session=false %) and others ones to be in WEB-INF (not visible to users) I use an application specific authentification. I would like any user (friend or hacker) to get access to the (internationalized) login page, be able commit login form to /login.do, and use struts-validator to validate required inputs. For all this no session should be created. When user is authentified, access to other URIs of the applicaton are granted by a custom processRole. Nico. How are you performing authentication? Depending on the process you're using, it may be possible to avoid hitting any of those conditions until after it's successful. P.S. By default, a JSP will create a session if one doesn't already exist (nothing to do with Struts), so any pages that can be hit by unauthenticated users should do: %@ page session=false % Quoting Nicolas De Loof [EMAIL PROTECTED]: I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' : RequestProcessor uses request.getSession() : - in processLocale if controller is configured to use Locale (default = true) HTMLTag uses request.getSession() : - in currentLocale() : if any JSP uses html:html a session is created ! o.a.s.validator.Ressouces uses request.getSession() : - in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created Isn't they're any way NOT to create a session for a user that hasn't been authentified ? Nico. This is exactly what I'm looking for. For some of the applications I'm working on, my customers are paranoiac about security. I think that if a unauthentified user is able to create a session on the server, it can expose the server to DOS attack, because every created session will use some memory. It is realy simple to write a client that sends hundred of request to the server. If a session is created on each request, server will quickly be out of memory (Session object + stored objects (Locale) size). If a session is created only for authentified users, server will survive such (simple) attack. Perhaps I'm wrong about this, if this scenario is stupid please tell me. For example, I've seen that RequestUtils.retrieveUserLocale() uses request scope if no session exists. This way, no session is created when displaying a login JSP that uses i18n. With locale=true (default) a new session is created when ActionServlet process a request. We need to set it to false to control session creation. I want to know if they're is other Struts properties to set to avoid creating new session for non-authentified user. Nico. Hi Manfred I think Nicolas is trying to find all places where Struts manipulates the session in some way.. Locale=True does indeed manipulate the session..thus resulting in the session being created, if not already there. When no one (action, object, tag, whatever) has requested attributes to be stored in the session, no session object will exist..Session info (cookie, URL rewriting, etc) is only created if there are attributes on the Session object. Am I correct on this one?? I don't understand WHY Nicolas does not want the session to be created...Is it because of memory usage...denial of service attacks...? Maybe, I don't understand, Nicolas, too...but it did gave my few pennies away :-) Regards Henrik - Original Message - From: Manfred Wolff [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 08, 2004 3:22 PM Subject: Re: Configuring Struts NOT to create (unauthentified) sessions Nicolas. I perhaps don't understand you. but (!) The locale attribut has nothing to do with creating sessions! The locale attribute tells struts to save a Locale-Object in the session, if there is nothing stored. Manfred Nicolas De Loof wrote: Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale=false in struts-config.xml controller. Is they're any ohter Struts mecanism
Re: Configuring Struts NOT to create (unauthentified) sessions
Quoting Nicolas De Loof [EMAIL PROTECTED]: I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' : RequestProcessor uses request.getSession() : - in processLocale if controller is configured to use Locale (default = true) HTMLTag uses request.getSession() : - in currentLocale() : if any JSP uses html:html a session is created ! o.a.s.validator.Ressouces uses request.getSession() : - in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created Isn't they're any way NOT to create a session for a user that hasn't been authentified ? Nico. Besides the places where Struts itself creates a session, if you're using JSP you should be aware that every JSP page will create a session unless you tell it not to: %@ page session=false % Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]