Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session attributes' thread safety and authentication mechansim questions

 
Bala Krishna
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am preparing for the SCWCD exam and have these following doubts. I referred some books, but couldn't get a clear answer to them, and hence this post:
1) Are session variables thread-safe? The general idea seems to be that they are not. But, one of the books I read states that they are thread-safe, since each session is associated with a request, and request variables are thread-safe for most practical purposes.
2) Do both BASIC and FORM authentication methods use the Base64 encoding to transmit data to the server?
3) Is the DIGEST mechanism a sufficiently secure mechanism to transmit data to the server? I've read that it uses MD5 encryption, which is a one-way encryption, so it must be secure. What confused me is Alx Dark's tutorial, which said it's only marginally better than the Base 64 encoding by BASIC Authentication.
If somebody could please clarify these doubts, I would really appreciate it.
Thanks.
-Bala.
 
Patricia Wu
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. It is not thread safe.
SevletConfig, yes (read-only)
ServletContext, no
Session, no
Request, yes
Another discussion
Not sure about the other two, and also want to know whether html form password field is send using Base64 encoding.
 
Bala Krishna
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Patricia. The discussion answered all the questions I had about the thread safety of session attributes.
Hoping to get answers for the remaining two questions. Thanks.
-Bala.
 
Mikalai Zaikin
Ranch Hand
Posts: 3371
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi.
about BASIC and FORM authenticatian mechanisms:
BASIC use BASE64 encoding (NOTE: not encrypting), so password could be easily extracted from sniffed HTTP request by anyone.
FORM does not use any mechanism for even encoding. Both ID and PASSWORD aer passed as plain text from parameters. You can test this cerating some HTML form with INPUT TYPE=PASSOWRD and make ACTION=".." METHOD="GET" (or does not define method at all). Then after submitting you will see you password in plain text in query string (although in the HTML form it will be hidded by asterisks).
hope, this helps.
 
Bala Krishna
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It sure did. Thanks Mikalai.
-Bala.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic