Win a copy of Penetration Testing Basics this week in the Security forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic


roul ravashimka
Ranch Hand
Posts: 53
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am interested in how a J2EE-application with login is implemented.
In the Petstore intercepting filters are used to decide if a user is logged in, or if a user asks a secured page(this means a user must be logged in to view the page).
As I get it wright, the status of the user is held in a database.
This database holds, as i get it wright, mainly two fields: an id and a status.
If you're logged in, the status is f.e. 'logged in', if not:'logged out'.
How does the system knows who you are?
Suppose you're logged in and you send a request to the system. How does the system recognise you? Is there a hidden fiel in the request/response, which hold your username?
How does it track your identity across all the requests you make?
Are there better strategies for logging in/out? As they say at the Petstore, ther are 3 techniques:HTTP basic authentication, SSL authentication, or form-based login. Which technique is best/easiest ?
Thanks for reading,
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic