Tinus Tate Tinus Tate - 1 year ago 73
Java Question

User defined value in session a security risk?

Is putting a value which the user can define/specify in a http session a security risk?


If this is the case what can i do to solve this?

One thing i can think of is a huge value which fills up my harddisk/memory, but it seems a bit far fetched. Limiting the string length could solve this.

Answer Source

In the end i decided to only do a check on string length.

Most of the security concerns are related on how a servlet container/app server implements the way it handles sessions. This does seem to differ from container to container.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download