I don't know if storing only immutable state in session is a "Best Practice" (if there exists such a thing as a best practice).
Consider frameworks like JBoss Seam or Spring Web Flow with their support for conversations, which is basically mutable state stored in session scope. The case seems to be that people are using those sensible, managed by the framework, dependency injected objects (with their XXXAware interfaces) as first class properties of their actions (by implementing their corresponding getter). Combined with the power of the parameters interceptor, those unwanted aliases gets hard to manage. One way to solve the problem would require avoid getting direct references to those framework objects, however this requires that the framework do more stuff for us. For example, JBoss Seam has those @In @Out annotation for injection and outjection. These are handy because you no longer need to have the actual scope object reference in your actions. 2012/2/27 Greg Lindholm <greg.lindh...@gmail.com>: > A Best Practice for the Session is to only store Immutable object in the > session. This would eliminate the SessionAware issue plus it can also be > important for clustered servers. > > > On Tue, Feb 21, 2012 at 9:09 AM, bphill...@ku.edu <bphill...@ku.edu> wrote: > >> I was researching the SessionAware interface as I'm planning on adding a >> tutorial on how to use the HTTP Session object from within a Struts Action >> class to the tutorials at: >> https://cwiki.apache.org/confluence/display/WW/Getting+Started >> https://cwiki.apache.org/confluence/display/WW/Getting+Started . >> >> I ran across this >> http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html >> blog post and https://issues.apache.org/jira/browse/WW-3631 Struts 2 >> JIRA >> issue that discuss a security vulnerability when using SessionAware. >> >> I'd like to include in the tutorial the best practices for mitigating this >> vulnerability. Here is what I think programmers who use SessionAware in >> their Action class should do to mitigate this vulnerability: >> >> 1. Do not create a public Map<String, Object> getSession() method in the >> Action class >> >> 2. Also implement the ParameterNameAware interface and override its >> acceptableParameterName method as follows: >> >> public boolean acceptableParameterName(String parameterName) { >> >> boolean allowedParameterName = true ; >> >> if ( parameterName.contains("session") || >> parameterName.contains("request") ) { >> >> allowedParameterName = false ; >> >> } >> >> return allowedParameterName; >> } >> >> I'd certainly appreciate any feedback on best practices to follow when >> implementing the SessionAware interface and how to mitigate the security >> vulnerability. >> >> Thank You, >> >> Bruce Phillips >> >> >> >> -- >> View this message in context: >> http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5502292.html >> Sent from the Struts - User mailing list archive at Nabble.com. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
