Tinus Tate Tinus Tate - 1 month ago 5
Java Question

User defined value in session a security risk?

Is putting a value which the user can define/specify in a http session a security risk?

request.getSession().setAttribute(KEY,
request.getParameter(usernameParameter));


If this is the case what can i do to solve this?

One thing i can think of is a huge value which fills up my harddisk/memory, but it seems a bit far fetched. Limiting the string length could solve this.

Answer

In the end i decided to only do a check on string length.

Most of the security concerns are related on how a servlet container/app server implements the way it handles sessions. This does seem to differ from container to container.