• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question regarding servlet security

 
Arijit De
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am facing a security issue in IE8.

I have to login roles admin and user.

I first login as a admin in login. And then go to another browser window, and then login and as user.

Then I copy the URL from the IE8 address bar for admin login window and paste it to the use login browser window and it automatically logs in as an administrator.

Can you tell me how to fix this issue?

Thanks,
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65122
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Read this article and pay particular attention to the PRG pattern. No action should ever be repeatable by simply copying a URL which results in a GET.
 
Arijit De
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Read this article and pay particular attention to the PRG pattern. No action should ever be repeatable by simply copying a URL which results in a GET.


I am using a POST request. Not a GET.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65122
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pasting the url results in a GET. If it can cause anything but a "get" action to occur, it's wrong.
 
Arijit De
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, how do I fix it. The request is a post.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65122
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Arijit De wrote:The request is a post.

The second request that you are worried about -- the one where the URL is pasted into the browser -- is a GET. As long as you keep insisting that it is a post, we cannot go any further.

Your server-side code should not be written to allow non-get actions to use GET. Are your servlets written to treat GET and POST the same? If so, they're wrong.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic