• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Session vs DB stored values

 
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have feature that enable users to change their password. Their password is stored in a session-scoped variable upon login and I use this to compare their new password to the older one. Is this a good idea? Or should I be getting the old password, the one that is stored in the database? Thanks!
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here's my thought - Consider the following case:

1) UserA logs in with password ABC from a browser. You store the password in the Session
2) UserA(the same user) logs in from one more browser.
3) UserA changes password to XYZ from browser1. You compare the old password from the Session and then save the new password in the database.
4) UserA tries to change password *from browser2*. You check the old password in the Session(which is still maintained as ABC even though the password has changed to XYZ) - This is NOT what you would want to happen.

So its better, you retrieve the old password from database for doing a check when the password is being changed
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you very much. I too, thought saving retrieving from DB would be a better solution. Thanks!
 
Ranch Hand
Posts: 93
Mac Objective C Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension. It is better to store a user-id (record number).

When the user wants to change his/her password, I suggest you ask them for current password along with new password. If current doesn't == password in database, then fail.

Also, consider encrypting all database passwords with a one-way hash to prevent someone from reading your DB directly and getting the passwords that way.
 
Ranch Hand
Posts: 536
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension.


Can you please tell me how? As far as i know, this extension allows you to see the cookies only (not the session attributes)
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yeah, please tell us how please... Thank you.
 
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'd prefer , if it is possible, for that information not to be told. Sure, you can probably go google that information pretty easily, but I'd prefer it if JavaRanch would stay away from providing hacking information.

Thanks.
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hmmmm... Yes, I couldn't agree more. Here I am Mr. Google! Or maybe you could PM me the answer?
 
Richard Green
Ranch Hand
Posts: 536
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One other firefox extension that is worth mentioning is 'Tamper Data'. TamperData is an extension to track and modify http/https requests. It is really great for security testing your web applications.

I use it a lot for security testing my web applications. ie., I fill in a form with valid values and press submit. The client side validation occurs and it is happy with the values i entered, so it sends the HTTP request to the server. TamperData intercepts the request at this stage and it allows me to modify the request parameters. I modify the request parameters - put in invalid values and press submit.

Voila! Now the server side validation occurs and I get a nice little error message saying that I have entered incorrect values. My web application is secure.

P.S: I thought that the information above will be useful for security testing purposes. If the moderators believe that it violates the forum rules, then please edit my post.
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Rusty Smythe:
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension. It is better to store a user-id (record number).



How would the webdev plugin help some view objects stored in session?
You do realize that the session object, and all objects bound to it, are stored on the server, right?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Timothy Sam:
Hmmmm... Yes, I couldn't agree more. Here I am Mr. Google! Or maybe you could PM me the answer?



First, please see:
http://faq.javaranch.com/view?UseTheForumNotEmail to see why we discourage technical conversations from going to PM or email.

Second, why are you so anxious to learn how to hack into someone's session?
 
reply
    Bookmark Topic Watch Topic
  • New Topic