I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' :
RequestProcessor uses request.getSession() : - in processLocale if controller is configured to use Locale (default = true) HTMLTag uses request.getSession() : - in currentLocale() : if any JSP uses <html:html> a session is created ! o.a.s.validator.Ressouces uses request.getSession() : - in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created Isn't they're any way NOT to create a session for a user that hasn't been authentified ? Nico. > > This is exactly what I'm looking for. > > For some of the applications I'm working on, my customers are paranoiac about > security. I think that if a unauthentified > user is able to create a session on the server, it can expose the server to DOS > attack, because every created session > will use some memory. > > It is realy simple to write a client that sends hundred of request to the server. If > a session is created on each > request, server will quickly be out of memory (Session object + stored objects > (Locale) size). > > If a session is created only for authentified users, server will survive such > (simple) attack. > > Perhaps I'm wrong about this, if this scenario is stupid please tell me. > > For example, I've seen that RequestUtils.retrieveUserLocale() uses request scope if > no session exists. This way, no > session is created when displaying a login JSP that uses i18n. > > With locale="true" (default) a new session is created when ActionServlet process a > request. We need to set it to false > to control session creation. I want to know if they're is other Struts properties to > set to avoid creating new session > for non-authentified user. > > > Nico. > > > > > Hi Manfred > > > > I think Nicolas is trying to find all places where Struts manipulates the > > session in some way.. > > > > Locale=True does indeed manipulate the session..thus resulting in the > > session being created, if not already there. > > > > When no one (action, object, tag, whatever) has requested attributes to be > > stored in the session, no session object will exist..Session info (cookie, > > URL rewriting, etc) is only created if there are attributes on the Session > > object. Am I correct on this one?? > > > > I don't understand WHY Nicolas does not want the session to be created...Is > > it because of memory usage...denial of service attacks...? > > > > Maybe, I don't understand, Nicolas, too...but it did gave my few pennies > > away :-) > > > > Regards > > > > Henrik > > > > ----- Original Message ----- > > From: "Manfred Wolff" <[EMAIL PROTECTED]> > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > Sent: Thursday, January 08, 2004 3:22 PM > > Subject: Re: Configuring Struts NOT to create (unauthentified) sessions > > > > > > > Nicolas. > > > > > > I perhaps don't understand you. but (!) The locale attribut has nothing > > > to do with creating sessions! The locale attribute tells struts to save > > > a Locale-Object in the session, if there is nothing stored. > > > > > > Manfred > > > > > > Nicolas De Loof wrote: > > > > > > >Hy all, > > > > > > > >I would like Struts NOT to create a session for an unauthentified user. > > As far as I understand Struts code, I need to > > > >set locale="false" in struts-config.xml <controller>. > > > > > > > >Is they're any ohter Struts mecanism that can create a session (excluding > > action-mapping declared as scope="session") ? > > > > > > > >Doesn't the "locale" default value (true) expose lot's of struts > > application to attack ? (server Out of Memory because > > > >to much sessions have been created - isn't this what is called "Deny Of > > Service" ?) > > > > > > > >Nico. > > > > > > > > > > > >--------------------------------------------------------------------- > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > -- > > > =========================================== > > > Dipl.-Inf. Manfred Wolff > > > ------------------------------------------- > > > phone neusta : +49 421 20696-27 > > > phone : +49 421 534522 > > > mobil : +49 178 49 18 434 > > > eFax : +49 1212 6 626 63 965 33 > > > ------------------------------------------- > > > ____________________________________________________ > > > Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich > > geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder > > diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den > > Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die > > unbefugte Weitergabe dieser Mail ist nicht gestattet. > > > > > > This e-mail may contain confidential and/or privileged information. If you > > are not the intended recipient (or have received this e-mail in error) > > please notify the sender immediately and destroy this e-mail. Any > > unauthorised copying, disclosure or distribution of the material in this > > e-mail is strictly forbidden. > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]