struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Al Sutton <al.sut...@alsutton.com>
Subject Re: [s2] Whats the most strutsy way of doing....
Date Thu, 26 Jun 2008 14:50:46 GMT
It's going to be a problem with whatever method is used. Even if there 
is a server side IP address record for each cookie you still have the 
problem of cookies stoled and used at the same location :(.

Unless you have an idea you wish to share? :).

Al.


Musachy Barroso wrote:
> Be aware of cookie stealing.
>
> musachy
>
> On Thu, Jun 26, 2008 at 10:32 AM, Al Sutton <al.sutton@alsutton.com> wrote:
>   
>> I was thinking more along the lines of encrypting the userId and password
>> hash using AES, store the value in the cookie, then if the cookie is
>> available during another session decrypt, check everything matches, and let
>> them back in.
>>
>> That way it avoids trying to maintain sync between the user and the server.
>>
>> Al.
>>
>> Lukasz Lenart wrote:
>>     
>>> I think there isn't any solution in Struts2, so then, implement that
>>> with cookies and save such cookie also on the server side in db, you
>>> can also allow such thing for selected users, etc.
>>>
>>>
>>> Regards
>>>
>>>       
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>>     
>
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message