Tinus Tate Tinus Tate - 6 months ago 37
Java Question

User defined value in session a security risk?

Is putting a value which the user can define/specify in a http session a security risk?


If this is the case what can i do to solve this?

One thing i can think of is a huge value which fills up my harddisk/memory, but it seems a bit far fetched. Limiting the string length could solve this.


In the end i decided to only do a check on string length.

Most of the security concerns are related on how a servlet container/app server implements the way it handles sessions. This does seem to differ from container to container.