• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HFSJ Chapter 12 question

 
Yasir Bajwa
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I think I understand the basic concepts in the chapter, one issue is that the login would have to be performed everytime a constrained resource is requested. How can login data be persisted?

Since HTTP/S is stateless, where could we keep the login data? I don't think we could use sessions, since that is associated with a JSESSIONID which at times could be sent over HTTP unsecurely and then intercepted?

Perhaps we could do something when the requests moved in/out of secure requests?
 
nitin pai
Ranch Hand
Posts: 185
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You could very well save the login info in your session object. The JSESSIONID has got nothing to do with your session object info. It is just a key to identify whether the requests are coming from the same user which is generated randomly.
 
Yasir Bajwa
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, yes I understand the JSESSIONID identifies the user, but this is also a problem.

If someone intercepts the HTTP Header information, copies the JSESSIONID and then submits their own request, they could impersonate that user.

How can we solve this problem?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic