Just to clarify things, do you mean another user sending your
sessionId stored in your cookie to the shop?

leon

On 1/4/07, uni@(protected):
> Hi,
>
> The question I have is not purely specific to Struts, but I expect that it's a
> common problem for Struts users. Suppose you have a web application which is a
> shop. You have several users, each of which can have orders, accounting
> details, etc. Now a user logs in and you store the the user object in the
> session. Further, you put a list of orders into a request and forward to a JSP
> that enables to select an order. When the user selects an order, the id is
> submitted to the action, the corresponding order is put into the request and
> you forward to the OrderDetails page.
> Up to now, everything is pretty standard. However, what happens if a user logs
> in, but then submits an arbitrary id - this would enable him to see orders from
> other users! How can such security lacks be avoided best?
>
> Cheers,
>
> Thorsten
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@(protected)
> For additional commands, e-mail: user-help@(protected)
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@(protected)
For additional commands, e-mail: user-help@(protected)