Just to clarify things, do you mean another user sending your sessionId stored in your cookie to the shop?
leon On 1/4/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hi, The question I have is not purely specific to Struts, but I expect that it's a common problem for Struts users. Suppose you have a web application which is a shop. You have several users, each of which can have orders, accounting details, etc. Now a user logs in and you store the the user object in the session. Further, you put a list of orders into a request and forward to a JSP that enables to select an order. When the user selects an order, the id is submitted to the action, the corresponding order is put into the request and you forward to the OrderDetails page. Up to now, everything is pretty standard. However, what happens if a user logs in, but then submits an arbitrary id - this would enable him to see orders from other users! How can such security lacks be avoided best? Cheers, Thorsten --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]