I appreciate your comments, but what I'd like to accomplish is what instructions should we provide in our tutorial on using the SessionAware interface in order to best mitigate the security vulnerabilities introduced when using SessionAware given how the Struts 2 framework works today.
I don't think using only immutable objects in the session reduces the vulnerability. String is immutable, but as I understand the security vulnerability of using SessionAware, a hacker could change the String value I've stored in the session. When using SessionAware what do experienced Struts 2 developers do to reduce as much as possible the vulnerability identified in my original post? I'd like to include these practices in the SessionAware tutorial. Thank you for the feedback. -- View this message in context: http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5519824.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
