At 9:48 AM -0500 7/28/05, Josh Cronemeyer wrote:
Part of the OWASP recommendations is that we do not allow authentication
and session data to be submitted via GET request, this includes the
session id. This comes from the OWASP top ten
(http://www.owasp.org/documentation/topten/a3.html) under A3.5 under
"Browser Caching" and "Session ID Protection".
I can tell jsp's to pass parameters in using a POST request, but if the
user passes the parameters in through the url, I need to be able to
restrict that. Does anyone know of any way to do this in struts?
Struts doesn't have programmatic support for this right now; I
believe a Bugzilla enhancement was entered (or maybe just a
discussion on the lists) to add HTTP method to the action mappings so
that you could have different mappings for path + protocol. I
haven't heard a lot of use cases for that, so I'd be hesitant to
forge off on an implementation without a little more clarity about
how people want to use it (it's not something I've ever needed.)
In the meantime, I guess the best thing would be to use
HttpServletRequest.getMethod() to test and evaluate whether to
proceed or not.
Also, does anyone know how to force struts to not pass along the session
id if cookies are disabled?
This is a function of the servlet container, not Struts; if you use
JSP tags which rewrite URLs, they will append the session ID when the
session ID is not being sent as a cookie-- the solution is to not use
them! Of course, that leads to links which have the servlet context
hard-coded in them, which is generally annoying.
Why do you not want to pass along the session ID? Do you have an app
which really doesn't use sessions?
Joe
--
Joe Germuska
[EMAIL PROTECTED]
http://blog.germuska.com
"Narrow minds are weapons made for mass destruction" -The Ex
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
