Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

JSP/URL Copy Security  RSS feed

 
James Clinton
Ranch Hand
Posts: 190
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have an issue.
When a user logs in and copies the url in the browser, then emails it to a *friend* who opens it up in a new browser. The *friend* is logged into the system as the user who sent the email!!
Hiding the URL is is good because ofcourse you can right click and grap the url from the propoerties page, and I want a better fix than this (pls dont suggest disabling the right mouse button).
In the jsp session I am passing a UserWebModel object which is holding all the important details.
How can I check a different browser is being used?
Is there some browser id like a session id?
Thanks
James
 
Jeroen Wenting
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The 2nd user would already have a different session, unless you pass the session ID on the request string.
Add: if you forward the requests from some central servlet based on a POST parameter instead of a GET parameter the URL in the browser will look to be the one of that central servlet but without the parameter.
If you make that empty URL the login page or an errorpage you're done.
[ January 16, 2004: Message edited by: Jeroen Wenting ]
 
James Clinton
Ranch Hand
Posts: 190
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The URL copied uses URL Re-writing, therefore all the details of the user model are in the session passed in the address bar:
see:
http://www........./action;jsessionid=0e9d1c677f1c4920a522f111c47cd21f?primarySession=true
I don't believe using POST will solve this.
 
Frank Carver
Sheriff
Posts: 6920
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, you can never be completely proof against this, but you can probably prevent most obvious abuses by checking the originating IP address (from request.getRemoteAddr() ) of each request with one that you stored in the session when you created it.
This won't be proof against two people "sharing" who are behind the same address-translating proxy, or if your servlet container is attached to a "front-door" server by port-forwarding rather than the more usual API connection. In both those cases, the originating IP address will be the same for both requesters.
You could also place an extra layer of HTTP Basic authenication in front of your application, so different users would need to log in. How do you handle logging in at the moment?
 
James Clinton
Ranch Hand
Posts: 190
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The application is based around the front controller pattern. User's are validated against a db2 database via attunity middleware and CICS.
The Main Frame COMMAREA returns a flag and records the Session ID. All this information is then Managed by a Bean which is held in the Session and checked on each request made.
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can I ask you why don't you believe post would work.
If you use post it will not show up in the query string. and you can grab it by requesting the form.
If they pasted the link then it would not contain the information.
Eric
 
James Clinton
Ranch Hand
Posts: 190
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Because the login values are contained in an object in the JSP Session using "URL-Rewriting". Not passed along with the request like a not URL Rewriting link.
ps. Post is being used.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!