Session variable in JSP/servlet application

[Steve Sobol]

How secure is stuff stored in a JSP session using session.setAttribute() ?

I'm thinking, "not at all" - and that I need to encrypt sensitive
information like passwords if I'm storing it that way. But I could be wrong.

 

[Vitamines]

when set the sensitive information into a session,you'd better encrypt
it using md5,then it will be safe

 

[Andrea Desole]

How secure is stuff stored in a JSP session using session.setAttribute() ?

I'm thinking, "not at all" - and that I need to encrypt sensitive
information like passwords if I'm storing it that way. But I could be wrong.

except a few cases (for example if you have to serialize the information
in your session) you shouldn't worry about it. Session information stays
on the server, and it's associated to the client request via the
jsessionid cookie

 

[Timo Stamm]

when set the sensitive information into a session,you'd better encrypt
it using md5,then it will be safe

This must be a joke. If you "encrypt" something with MD5, the
information itself is lost.

MD5 is a hashing algorithm, not an encryption algorithm.

Besides, Sessions reside on the server side, so it can be considered
safe under the assumption that client == unsafe and server == safe.


Timo

 

[Roedy Green]

when set the sensitive information into a session,you'd better encrypt
it using md5,then it will be safe

You can do a password digest with MD5 but not general encryption.

see http://mindprod.com/jgloss/encryption.html
http://mindprod.com/jgloss/md5.html

 

[inquisitive]

hi
the basic ques was
" How secure is stuff stored in a JSP session using
session.setAttribute() ? "

try reading follwing link to know how secure it is

http://www.securiteam.com/securityreviews/5TP0F0UEVQ.html