
I'm not sure exactly what the concern is?  The nature of sessions
requires that one of two options be used.  1) I can re-write all URLs
to contain a special session key.  This key in the URL is then used by
the servlet container to locate and unserialize the session object
corresponding to that key.  If the client browser has cookies enabled
then another option is available 2) the key is placed in a cookie that
exists until the browser is closed, at which point it is deleted.  On
each request the servlet container uses the key stored in the cookie
to locate and unserialize the session object.

With this in mind, the only time that someone could "bypass" security
filter is if they have logged in, NEVER closed the browser, and open a
new window from within the original window.  Once the browser has been
closed the session key is destroyed.  The biggest risk is if your
users are at a public terminal and just walk away without closing the
browser.  If you provide the user with a logout option then you can
destroy the session regardless of whether the browser has been closed
or not.

I'm not sure if this applies to SecurityFilter in general, since I
have never used it and as I understand it, SecurityFilter simply wraps
the container's security management.  Good Luck...


On Thu, 17 Feb 2005 10:53:49 +0700, Hari Saptoadi
> Hi all,
> first i'd like to say sorry if someone already asked this question before, 
> i'm develop web app with struts and tomcat as web server + 
> securityfilter(securityfilter.sourceforge.net) , my problem is if someone 
> already login , and  that user open new window browser securityfilter can't 
> blocked this request (i mean user does not have to face login page again ) as 
> far as i know this problem occure because  user have same session , and my 
> question is how can i fix it ? (i want every user have to face login page 
> before using app )
> thank you for you answer ....

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to