tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Wall" <dw...@myEastside.com>
Subject Re: HttpSession across virtual hosts
Date Thu, 08 Feb 2001 17:00:48 GMT
> What I've seen done, which doesn't necessarily make it secure, it to
> send some form of CartID.  This ID identifies the Cart in some shared back
> end data store.  Usually these are large numbers that contain enough
> information to determine if its a possible real value, or a number someone
> made up.  If its something that someone made up, usually their IP is
locked
> out for a certain amount of time or a session field is set that doesn't
> allow them in as long as that same session is valid.

IP blocking won't work at all for the millions of users behind proxy
servers. Every single user will appear to come from the same IP address, and
big guys like AOL will feed you multiple IP addresses from a SINGLE page
request (it may ask for the .jsp file with one IP address and get the
various .gifs with different IP addresses).

For CartIDs, you have the same problem as a session id in the cookie or
rewritten URL.  So the common solution I've seen these days is to use
java.security.SecureRandom (you pay a onetime performance hit when the first
random is generated because it has to attempt to randomize its seed as best
it can) to create those IDs.  You can store them in the database to ensure
they are unique, though the odds are certainly against non-unique if you use
a large enough range of values.

Davd


Mime
View raw message