Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Authentication with JSP question and "referer" header  RSS feed

 
B Wiley Snyder
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everyone,
I basically have everything going great so far with my login page. My question is.....

In my "members" area I've set this at the top of the "members" page...


My question is , how secure is this. Can someone set the referrer header at any location to the login URL of my site and gain access to my members pages?

If I am not being clear on anything let me know and I will rephrase my question.

Thanks in advance
 
B Wiley Snyder
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let me add one more point. The point of the code I posted was, if someone was not sent from the login page ( i.e. they just added the URL to the address bar and did not log in ) they are directed back to the login page.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are using referer for authentication? I'd recommend a less chancey approach.

Either use container-managed authentication, or if you require more control than that allows, use the session to record an authentication token once appropriate credentials have been submitted.

A servlet filter would be a good way to check for such a token.
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!