1) UserA logs in with password ABC from a browser. You store the password in the Session
2) UserA(the same user) logs in from one more browser.
3) UserA changes password to XYZ from browser1. You compare the old password from the Session and then save the new password in the database.
4) UserA tries to change password *from browser2*. You check the old password in the Session(which is still maintained as ABC even though the password has changed to XYZ) - This is NOT what you would want to happen.
So its better, you retrieve the old password from database for doing a check when the password is being changed
When the user wants to change his/her password, I suggest you ask them for current password along with new password. If current doesn't == password in database, then fail.
Also, consider encrypting all database passwords with a one-way hash to prevent someone from reading your DB directly and getting the passwords that way.
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension.
Can you please tell me how? As far as i know, this extension allows you to see the cookies only (not the session attributes)
I use it a lot for security testing my web applications. ie., I fill in a form with valid values and press submit. The client side validation occurs and it is happy with the values i entered, so it sends the HTTP request to the server. TamperData intercepts the request at this stage and it allows me to modify the request parameters. I modify the request parameters - put in invalid values and press submit.
Voila! Now the server side validation occurs and I get a nice little error message saying that I have entered incorrect values. My web application is secure.
P.S: I thought that the information above will be useful for security testing purposes. If the moderators believe that it violates the forum rules, then please edit my post.
Originally posted by Rusty Smythe:
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension. It is better to store a user-id (record number).
How would the webdev plugin help some view objects stored in session?
You do realize that the session object, and all objects bound to it, are stored on the server, right?
Originally posted by Timothy Sam:
Hmmmm... Yes, I couldn't agree more. Here I am Mr. Google! Or maybe you could PM me the answer?
First, please see:
http://faq.javaranch.com/view?UseTheForumNotEmail to see why we discourage technical conversations from going to PM or email.
Second, why are you so anxious to learn how to hack into someone's session?