It sounds like the real issue is validator usage (I'm assuming you can avoid the other features that cause session creation). How difficult would it be to do the login validation "by hand"? I expect you're just verifying that something like a user and password have been submitted (and maybe that they conform to some format).
Quoting Nicolas De Loof <[EMAIL PROTECTED]>: > I would like to set my login JSP to have this directive (<%@ page > session="false" %>) > and others ones to be in WEB-INF (not visible to users) > > I use an application specific authentification. > > I would like any user (friend or hacker) to get access to the > (internationalized) login page, be able commit login form > to "/login.do", and use struts-validator to validate required inputs. For all > this no session should be created. When > user is authentified, access to other URIs of the applicaton are granted by a > custom processRole. > > Nico. > > > > > How are you performing authentication? Depending on the process you're > using, it > > may be possible to avoid hitting any of those conditions until after it's > > successful. > > > > P.S. > > By default, a JSP will create a session if one doesn't already exist > (nothing to > > do with Struts), so any pages that can be hit by unauthenticated users > should do: > > > > <%@ page session="false" %> > > > > Quoting Nicolas De Loof <[EMAIL PROTECTED]>: > > > > > I've made a grep on Struts 1.1 sources. I noticed some case where a > session > > > is created that seems to me 'uncontroled' : > > > > > > > > > RequestProcessor uses request.getSession() : > > > - in processLocale if controller is configured to use Locale (default = > > > true) > > > > > > HTMLTag uses request.getSession() : > > > - in currentLocale() : if any JSP uses <html:html> a session is created > ! > > > > > > o.a.s.validator.Ressouces uses request.getSession() : > > > - in getLocale(request) : If validator is used (for example to validate > login > > > page) a session will allways be created > > > > > > > > > Isn't they're any way NOT to create a session for a user that hasn't > been > > > authentified ? > > > > > > Nico. > > > > > > > > > > > > > > > > > > > > > > > This is exactly what I'm looking for. > > > > > > > > For some of the applications I'm working on, my customers are > paranoiac > > > about security. I think that if a > > > unauthentified > > > > user is able to create a session on the server, it can expose the > server to > > > DOS attack, because every created session > > > > will use some memory. > > > > > > > > It is realy simple to write a client that sends hundred of request to > the > > > server. If a session is created on each > > > > request, server will quickly be out of memory (Session object + > stored > > > objects (Locale) size). > > > > > > > > If a session is created only for authentified users, server will > survive > > > such (simple) attack. > > > > > > > > Perhaps I'm wrong about this, if this scenario is stupid please tell > me. > > > > > > > > For example, I've seen that RequestUtils.retrieveUserLocale() uses > request > > > scope if no session exists. This way, no > > > > session is created when displaying a login JSP that uses i18n. > > > > > > > > With locale="true" (default) a new session is created when > ActionServlet > > > process a request. We need to set it to false > > > > to control session creation. I want to know if they're is other > Struts > > > properties to set to avoid creating new session > > > > for non-authentified user. > > > > > > > > > > > > Nico. > > > > > > > > > > > > > > > > > Hi Manfred > > > > > > > > > > I think Nicolas is trying to find all places where Struts > manipulates > > > the > > > > > session in some way.. > > > > > > > > > > Locale=True does indeed manipulate the session..thus resulting in > the > > > > > session being created, if not already there. > > > > > > > > > > When no one (action, object, tag, whatever) has requested attributes > to > > > be > > > > > stored in the session, no session object will exist..Session info > > > (cookie, > > > > > URL rewriting, etc) is only created if there are attributes on the > > > Session > > > > > object. Am I correct on this one?? > > > > > > > > > > I don't understand WHY Nicolas does not want the session to be > > > created...Is > > > > > it because of memory usage...denial of service attacks...? > > > > > > > > > > Maybe, I don't understand, Nicolas, too...but it did gave my few > > > pennies > > > > > away :-) > > > > > > > > > > Regards > > > > > > > > > > Henrik > > > > > > > > > > ----- Original Message ----- > > > > > From: "Manfred Wolff" <[EMAIL PROTECTED]> > > > > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > > > Sent: Thursday, January 08, 2004 3:22 PM > > > > > Subject: Re: Configuring Struts NOT to create (unauthentified) > sessions > > > > > > > > > > > > > > > > Nicolas. > > > > > > > > > > > > I perhaps don't understand you. but (!) The locale attribut has > > > nothing > > > > > > to do with creating sessions! The locale attribute tells struts > to > > > save > > > > > > a Locale-Object in the session, if there is nothing stored. > > > > > > > > > > > > Manfred > > > > > > > > > > > > Nicolas De Loof wrote: > > > > > > > > > > > > >Hy all, > > > > > > > > > > > > > >I would like Struts NOT to create a session for an > unauthentified > > > user. > > > > > As far as I understand Struts code, I need to > > > > > > >set locale="false" in struts-config.xml <controller>. > > > > > > > > > > > > > >Is they're any ohter Struts mecanism that can create a session > > > (excluding > > > > > action-mapping declared as scope="session") ? > > > > > > > > > > > > > >Doesn't the "locale" default value (true) expose lot's of struts > > > > > application to attack ? (server Out of Memory because > > > > > > >to much sessions have been created - isn't this what is called > "Deny > > > Of > > > > > Service" ?) > > > > > > > > > > > > > >Nico. > > > > > > > > > > > > > > > > > > > > > > > >--------------------------------------------------------------------- > > > > > > >To unsubscribe, e-mail: > [EMAIL PROTECTED] > > > > > > >For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > =========================================== > > > > > > Dipl.-Inf. Manfred Wolff > > > > > > ------------------------------------------- > > > > > > phone neusta : +49 421 20696-27 > > > > > > phone : +49 421 534522 > > > > > > mobil : +49 178 49 18 434 > > > > > > eFax : +49 1212 6 626 63 965 33 > > > > > > ------------------------------------------- > > > > -- > > Kris Schneider <mailto:[EMAIL PROTECTED]> > > D.O.Tech <http://www.dotech.com/> -- Kris Schneider <mailto:[EMAIL PROTECTED]> D.O.Tech <http://www.dotech.com/> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
