I have feature that enable users to change their password. Their password is stored in a session-scoped variable upon login and I use this to compare their new password to the older one. Is this a good idea? Or should I be getting the old password, the one that is stored in the database? Thanks!
1) UserA logs in with password ABC from a browser. You store the password in the Session 2) UserA(the same user) logs in from one more browser. 3) UserA changes password to XYZ from browser1. You compare the old password from the Session and then save the new password in the database. 4) UserA tries to change password *from browser2*. You check the old password in the Session(which is still maintained as ABC even though the password has changed to XYZ) - This is NOT what you would want to happen.
So its better, you retrieve the old password from database for doing a check when the password is being changed
Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension. It is better to store a user-id (record number).
When the user wants to change his/her password, I suggest you ask them for current password along with new password. If current doesn't == password in database, then fail.
Also, consider encrypting all database passwords with a one-way hash to prevent someone from reading your DB directly and getting the passwords that way.
I'd prefer , if it is possible, for that information not to be told. Sure, you can probably go google that information pretty easily, but I'd prefer it if JavaRanch would stay away from providing hacking information.
One other firefox extension that is worth mentioning is 'Tamper Data'. TamperData is an extension to track and modify http/https requests. It is really great for security testing your web applications.
I use it a lot for security testing my web applications. ie., I fill in a form with valid values and press submit. The client side validation occurs and it is happy with the values i entered, so it sends the HTTP request to the server. TamperData intercepts the request at this stage and it allows me to modify the request parameters. I modify the request parameters - put in invalid values and press submit.
Voila! Now the server side validation occurs and I get a nice little error message saying that I have entered incorrect values. My web application is secure.
P.S: I thought that the information above will be useful for security testing purposes. If the moderators believe that it violates the forum rules, then please edit my post.
MCSD, SCJP, SCWCD, SCBCD, SCJD (in progress - URLybird 1.2.1)
Originally posted by Rusty Smythe: Storing that data in the session is not a good idea, because the user (or someone else at the user's machine) can see it (i.e., using the Firefox Web Dev Extension. It is better to store a user-id (record number).
How would the webdev plugin help some view objects stored in session? You do realize that the session object, and all objects bound to it, are stored on the server, right?