Where are JSP session variables stored?

S

Steve Sobol

I'm asking because I need to hold onto a password throughout the project I'm
currently working on. If the session object is stored only in RAM, I'm fine. If
it's stored in persistent storage, I'm going to have to encrypt the password.
 
B

Brusque

Steve Sobol said:
I'm asking because I need to hold onto a password throughout the project I'm
currently working on. If the session object is stored only in RAM, I'm fine. If
it's stored in persistent storage, I'm going to have to encrypt the password.

--
JustThe.net Internet & New Media Services, http://JustThe.net/
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / (e-mail address removed)
PGP Key available from your friendly local key server (0xE3AE35ED)
Apple Valley, California Nothing scares me anymore. I have three kids.
Click to expand...

It depends on the product you're using, and also how it's configured. If
session persistence/replication is on then the password could be stored or
transmitted at some point, so I'd probably encrypt to be safe. Tomcat for
example saves session data to file by default when it's shut down.
 
S

Steve Sobol

Brusque said:
It depends on the product you're using, and also how it's configured. If
session persistence/replication is on then the password could be stored or
transmitted at some point, so I'd probably encrypt to be safe. Tomcat for
example saves session data to file by default when it's shut down.
Click to expand...

**nodding** well, this product has a desktop version, and when I save the
password to a file it's DES encrypted. I will do the same thing in the JSP version.

Thanks.
 
S

Sudsy

Steve said:
I'm asking because I need to hold onto a password throughout the project
I'm currently working on. If the session object is stored only in RAM,
I'm fine. If it's stored in persistent storage, I'm going to have to
encrypt the password.
Click to expand...

But is this not "Much Ado About Nothing"? What I mean by that is the
fact that only sys admins or the user id running the servlet container
are going to be able to access the files used for persistence. Since
all of this is occuring on the server side, where are the security
considerations?
I'm presuming that the server is secured from external access in
accordance with traditional best practices...
 
S

Steve Sobol

Sudsy said:
But is this not "Much Ado About Nothing"?
Click to expand...

Nope. I try to keep my server locked down and updated. But there's always the
chance someone will be able to break in and grab stuff.
 
S

Steve Sobol

Frank said:
Could I ask why?
Click to expand...

Because I need to send it along with some other data to accomplish some of the
tasks the site is going to accomplish.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

JSP/Servlets: Where should the password be stored? 1
How can I upload a tar.bz2 file to OpenStack swift object storage container using the Python swift client? 2
Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
Javacard and session variables 0
How to go about building a crud app when you are a noob 1
Mini Web Server in C++ (Part One) 4
Sending data from web page to Raspberry Pi 0
Looking to start a project but I need help 2

Members online

No members online now.
Total: 176 (members: 2, guests: 174)
Robots: 306

Forum statistics

Threads
474,432
Messages
2,571,681
Members
48,796
Latest member
Greg L.

Latest Threads

Top