StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
1163375
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
7
CommunityOwnedDate
CreationDate
2009-07-22T06:28:34.203
FavoriteCount
0
LastActivityDate
2009-07-22T06:28:34.203
LastEditDate
LastEditorUserId
0
OwnerUserId
2525
ParentId
1163319
PostTypeId
2
Score
1
ViewCount
0
LastEditorDisplayName
text
Body
Talking generally (because this isn't a Java problem at all, it's a general web problem) session fixation arises when session IDs are easy to discover or guess. The main method of attack is when the session ID is in the URL of a page, for example <a href="http://example.com/index?sessionId=123" rel="nofollow noreferrer">http://example.com/index?sessionId=123</a>. An attacker could setup capture a session and then embed the link in their page, tricking a user into visiting it and becoming part of their session. Then when the user authenticates the session is authenticated. The mitigation for this is to not use URL based session IDs, but instead use cookies Some web applications will use a cookie session based but set it from the initial URL, for example visiting <a href="http://example.com/index?sessionId=123" rel="nofollow noreferrer">http://example.com/index?sessionId=123</a> would see the session id in the url and then create a session cookie from it, setting the id in the session cookie to 123. The mitigation for this is to generate random session ids on the server without using any user input as a seed into the generator. There's also browser based exploits where a poorly coded browser will accept cookie creation for domains which are not the originating domain, but there's not much you can do about that. And Cross Site Scripting attacks where you can send a script command into the attacked site to set the session cookie, which can be mitigated by setting the session cookie to be HTTP_ONLY (although Safari does not honour this flag) For Java the general recommendation is <pre><code>session.invalidate(); session=request.getSession(true); </code></pre> However at one point on JBoss this didn't work - so you need to check this works as expected within your chosen framework.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POJava secure session
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USblowdart
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COI try using this method, but the user will be logout is session.invalidate() is called
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
2. COWell then that's a limitation of the framework you are using I'm afraid.
 singulars
 PostPostId
 PO
 UserUserId
 USblowdart
3. COi am using jsf and tomcat, so got any other method to solve the problem?
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.