You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Nicolas De Loof <ni...@cgey.com> on 2004/01/08 09:59:31 UTC
Configuring Struts NOT to create (unauthentified) sessions
Hy all,
I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to
set locale="false" in struts-config.xml <controller>.
Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope="session") ?
Doesn't the "locale" default value (true) expose lot's of struts application to attack ? (server Out of Memory because
to much sessions have been created - isn't this what is called "Deny Of Service" ?)
Nico.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Nicolas De Loof <ni...@cgey.com>.
A session CONTEXT is created when some code uses
request.getSession() or request.getSession(true)
session tracking (using coockie or URL rewriting) is used keep association between user and contexte. Session tracking
mecanism use a random number generator but doesn't use memory to store some data until a CONTEXT is created.
Nico.
> HG.
>
> I _don't_ think you are right. A session object exsists with and without
> struts. The documentation says:
>
> -->
> The Hypertext Transfer Protocol (HTTP) is by design a stateless
> protocol. To build
> effective web applications, it is imperative that requests from a
> particular client be
> associated with each other. Many strategies for session tracking have
> evolved over
> time, but all are difficult or troublesome for the programmer to use
> directly.
> This specification defines a simple HttpSession interface that allows a
> servlet
> container to use any of several approaches to track a user’s session without
> involving the Application Developer in the nuances of any one approach.
> <--
>
> The session is more than the attributes, struts can put into it ;-)
>
> Manfred
>
> HG wrote:
>
> >Hi Manfred
> >
> >I think Nicolas is trying to find all places where Struts manipulates the
> >session in some way..
> >
> >Locale=True does indeed manipulate the session..thus resulting in the
> >session being created, if not already there.
> >
> >When no one (action, object, tag, whatever) has requested attributes to be
> >stored in the session, no session object will exist..Session info (cookie,
> >URL rewriting, etc) is only created if there are attributes on the Session
> >object. Am I correct on this one??
> >
> >I don't understand WHY Nicolas does not want the session to be created...Is
> >it because of memory usage...denial of service attacks...?
> >
> >Maybe, I don't understand, Nicolas, too...but it did gave my few pennies
> >away :-)
> >
> >Regards
> >
> >Henrik
> >
> >----- Original Message -----
> >From: "Manfred Wolff" <ma...@manfred-wolff.de>
> >To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> >Sent: Thursday, January 08, 2004 3:22 PM
> >Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
> >
> >
> >
> >
> >>Nicolas.
> >>
> >>I perhaps don't understand you. but (!) The locale attribut has nothing
> >>to do with creating sessions! The locale attribute tells struts to save
> >>a Locale-Object in the session, if there is nothing stored.
> >>
> >>Manfred
> >>
> >>Nicolas De Loof wrote:
> >>
> >>
> >>
> >>>Hy all,
> >>>
> >>>I would like Struts NOT to create a session for an unauthentified user.
> >>>
> >>>
> >As far as I understand Struts code, I need to
> >
> >
> >>>set locale="false" in struts-config.xml <controller>.
> >>>
> >>>Is they're any ohter Struts mecanism that can create a session (excluding
> >>>
> >>>
> >action-mapping declared as scope="session") ?
> >
> >
> >>>Doesn't the "locale" default value (true) expose lot's of struts
> >>>
> >>>
> >application to attack ? (server Out of Memory because
> >
> >
> >>>to much sessions have been created - isn't this what is called "Deny Of
> >>>
> >>>
> >Service" ?)
> >
> >
> >>>Nico.
> >>>
> >>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> >>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >>>
> >>>
> >>>
> >>>
> >>>
> >>--
> >>===========================================
> >>Dipl.-Inf. Manfred Wolff
> >>-------------------------------------------
> >>phone neusta : +49 421 20696-27
> >>phone : +49 421 534522
> >>mobil : +49 178 49 18 434
> >>eFax : +49 1212 6 626 63 965 33
> >>-------------------------------------------
> >>____________________________________________________
> >>Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich
> >>
> >>
> >geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder
> >diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
> >Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die
> >unbefugte Weitergabe dieser Mail ist nicht gestattet.
> >
> >
> >>This e-mail may contain confidential and/or privileged information. If you
> >>
> >>
> >are not the intended recipient (or have received this e-mail in error)
> >please notify the sender immediately and destroy this e-mail. Any
> >unauthorised copying, disclosure or distribution of the material in this
> >e-mail is strictly forbidden.
> >
> >
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >>
> >>
> >>
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
> >
> >
>
> --
> ===========================================
> Dipl.-Inf. Manfred Wolff
> -------------------------------------------
> phone neusta : +49 421 20696-27
> phone : +49 421 534522
> mobil : +49 178 49 18 434
> eFax : +49 1212 6 626 63 965 33
> -------------------------------------------
> ____________________________________________________
> Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der
richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
>
> This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying,
disclosure or distribution of the material in this e-mail is strictly forbidden.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Manfred Wolff <ma...@manfred-wolff.de>.
HG.
I _don't_ think you are right. A session object exsists with and without
struts. The documentation says:
-->
The Hypertext Transfer Protocol (HTTP) is by design a stateless
protocol. To build
effective web applications, it is imperative that requests from a
particular client be
associated with each other. Many strategies for session tracking have
evolved over
time, but all are difficult or troublesome for the programmer to use
directly.
This specification defines a simple HttpSession interface that allows a
servlet
container to use any of several approaches to track a user’s session without
involving the Application Developer in the nuances of any one approach.
<--
The session is more than the attributes, struts can put into it ;-)
Manfred
HG wrote:
>Hi Manfred
>
>I think Nicolas is trying to find all places where Struts manipulates the
>session in some way..
>
>Locale=True does indeed manipulate the session..thus resulting in the
>session being created, if not already there.
>
>When no one (action, object, tag, whatever) has requested attributes to be
>stored in the session, no session object will exist..Session info (cookie,
>URL rewriting, etc) is only created if there are attributes on the Session
>object. Am I correct on this one??
>
>I don't understand WHY Nicolas does not want the session to be created...Is
>it because of memory usage...denial of service attacks...?
>
>Maybe, I don't understand, Nicolas, too...but it did gave my few pennies
>away :-)
>
>Regards
>
>Henrik
>
>----- Original Message -----
>From: "Manfred Wolff" <ma...@manfred-wolff.de>
>To: "Struts Users Mailing List" <st...@jakarta.apache.org>
>Sent: Thursday, January 08, 2004 3:22 PM
>Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
>
>
>
>
>>Nicolas.
>>
>>I perhaps don't understand you. but (!) The locale attribut has nothing
>>to do with creating sessions! The locale attribute tells struts to save
>>a Locale-Object in the session, if there is nothing stored.
>>
>>Manfred
>>
>>Nicolas De Loof wrote:
>>
>>
>>
>>>Hy all,
>>>
>>>I would like Struts NOT to create a session for an unauthentified user.
>>>
>>>
>As far as I understand Struts code, I need to
>
>
>>>set locale="false" in struts-config.xml <controller>.
>>>
>>>Is they're any ohter Struts mecanism that can create a session (excluding
>>>
>>>
>action-mapping declared as scope="session") ?
>
>
>>>Doesn't the "locale" default value (true) expose lot's of struts
>>>
>>>
>application to attack ? (server Out of Memory because
>
>
>>>to much sessions have been created - isn't this what is called "Deny Of
>>>
>>>
>Service" ?)
>
>
>>>Nico.
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>
>>--
>>===========================================
>>Dipl.-Inf. Manfred Wolff
>>-------------------------------------------
>>phone neusta : +49 421 20696-27
>>phone : +49 421 534522
>>mobil : +49 178 49 18 434
>>eFax : +49 1212 6 626 63 965 33
>>-------------------------------------------
>>____________________________________________________
>>Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich
>>
>>
>geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder
>diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
>Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die
>unbefugte Weitergabe dieser Mail ist nicht gestattet.
>
>
>>This e-mail may contain confidential and/or privileged information. If you
>>
>>
>are not the intended recipient (or have received this e-mail in error)
>please notify the sender immediately and destroy this e-mail. Any
>unauthorised copying, disclosure or distribution of the material in this
>e-mail is strictly forbidden.
>
>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
--
===========================================
Dipl.-Inf. Manfred Wolff
-------------------------------------------
phone neusta : +49 421 20696-27
phone : +49 421 534522
mobil : +49 178 49 18 434
eFax : +49 1212 6 626 63 965 33
-------------------------------------------
____________________________________________________
Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Nicolas De Loof <ni...@cgey.com>.
I just woud have some more info from Struts/J2EE masters :
Is this on-unauthentified-uri-session-is-created scenario a possible DOS attack ?
Nico.
> Hi Nicolas
>
> Glad you figured it out, and thanks for sharing it, with the rest of us.
>
> Peace,
>
> Henrik
>
> ----- Original Message -----
> From: "Nicolas De Loof" <ni...@cgey.com>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Friday, January 09, 2004 9:41 AM
> Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
>
>
> > Here is what I need to do to avoid creating session before the user has
> been authentificated :
> >
> >
> > . add <%@ page session="false" %> to the JSP used by my login tile
> definition (layout & tiles)
> > => requesting login.jsp doesn't create a session
> >
> > . set <controller locale="false"> in struts-config.xml
> > . set validate="false" for the login action
> > (. set scope="requet" for the login action)
> > => requesting login.do doesn't create a session until I create it myself
> when authentification has succeded (or some
> > action-mapping has scope="session").
> >
> >
> > Thank you all for help.
> >
> > Nico.
> >
> >
> >
> >
> >
> > > Quoting Nicolas De Loof <ni...@cgey.com>:
> > >
> > > > I've made a grep on Struts 1.1 sources. I noticed some case where a
> session
> > > > is created that seems to me 'uncontroled' :
> > > >
> > > >
> > > > RequestProcessor uses request.getSession() :
> > > > - in processLocale if controller is configured to use Locale (default
> =
> > > > true)
> > > >
> > > > HTMLTag uses request.getSession() :
> > > > - in currentLocale() : if any JSP uses <html:html> a session is
> created !
> > > >
> > > > o.a.s.validator.Ressouces uses request.getSession() :
> > > > - in getLocale(request) : If validator is used (for example to
> validate login
> > > > page) a session will allways be created
> > > >
> > > >
> > > > Isn't they're any way NOT to create a session for a user that hasn't
> been
> > > > authentified ?
> > > >
> > > > Nico.
> > > >
> > >
> > > Besides the places where Struts itself creates a session, if you're
> using JSP
> > > you should be aware that every JSP page will create a session unless you
> tell
> > > it not to:
> > >
> > > <%@ page session="false" %>
> > >
> > > Craig
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by HG <st...@nospam.websolver.dk>.
Hi Nicolas
Glad you figured it out, and thanks for sharing it, with the rest of us.
Peace,
Henrik
----- Original Message -----
From: "Nicolas De Loof" <ni...@cgey.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Friday, January 09, 2004 9:41 AM
Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
> Here is what I need to do to avoid creating session before the user has
been authentificated :
>
>
> . add <%@ page session="false" %> to the JSP used by my login tile
definition (layout & tiles)
> => requesting login.jsp doesn't create a session
>
> . set <controller locale="false"> in struts-config.xml
> . set validate="false" for the login action
> (. set scope="requet" for the login action)
> => requesting login.do doesn't create a session until I create it myself
when authentification has succeded (or some
> action-mapping has scope="session").
>
>
> Thank you all for help.
>
> Nico.
>
>
>
>
>
> > Quoting Nicolas De Loof <ni...@cgey.com>:
> >
> > > I've made a grep on Struts 1.1 sources. I noticed some case where a
session
> > > is created that seems to me 'uncontroled' :
> > >
> > >
> > > RequestProcessor uses request.getSession() :
> > > - in processLocale if controller is configured to use Locale (default
=
> > > true)
> > >
> > > HTMLTag uses request.getSession() :
> > > - in currentLocale() : if any JSP uses <html:html> a session is
created !
> > >
> > > o.a.s.validator.Ressouces uses request.getSession() :
> > > - in getLocale(request) : If validator is used (for example to
validate login
> > > page) a session will allways be created
> > >
> > >
> > > Isn't they're any way NOT to create a session for a user that hasn't
been
> > > authentified ?
> > >
> > > Nico.
> > >
> >
> > Besides the places where Struts itself creates a session, if you're
using JSP
> > you should be aware that every JSP page will create a session unless you
tell
> > it not to:
> >
> > <%@ page session="false" %>
> >
> > Craig
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Nicolas De Loof <ni...@cgey.com>.
Here is what I need to do to avoid creating session before the user has been authentificated :
. add <%@ page session="false" %> to the JSP used by my login tile definition (layout & tiles)
=> requesting login.jsp doesn't create a session
. set <controller locale="false"> in struts-config.xml
. set validate="false" for the login action
(. set scope="requet" for the login action)
=> requesting login.do doesn't create a session until I create it myself when authentification has succeded (or some
action-mapping has scope="session").
Thank you all for help.
Nico.
> Quoting Nicolas De Loof <ni...@cgey.com>:
>
> > I've made a grep on Struts 1.1 sources. I noticed some case where a session
> > is created that seems to me 'uncontroled' :
> >
> >
> > RequestProcessor uses request.getSession() :
> > - in processLocale if controller is configured to use Locale (default =
> > true)
> >
> > HTMLTag uses request.getSession() :
> > - in currentLocale() : if any JSP uses <html:html> a session is created !
> >
> > o.a.s.validator.Ressouces uses request.getSession() :
> > - in getLocale(request) : If validator is used (for example to validate login
> > page) a session will allways be created
> >
> >
> > Isn't they're any way NOT to create a session for a user that hasn't been
> > authentified ?
> >
> > Nico.
> >
>
> Besides the places where Struts itself creates a session, if you're using JSP
> you should be aware that every JSP page will create a session unless you tell
> it not to:
>
> <%@ page session="false" %>
>
> Craig
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by "Craig R. McClanahan" <cr...@apache.org>.
Quoting Nicolas De Loof <ni...@cgey.com>:
> I've made a grep on Struts 1.1 sources. I noticed some case where a session
> is created that seems to me 'uncontroled' :
>
>
> RequestProcessor uses request.getSession() :
> - in processLocale if controller is configured to use Locale (default =
> true)
>
> HTMLTag uses request.getSession() :
> - in currentLocale() : if any JSP uses <html:html> a session is created !
>
> o.a.s.validator.Ressouces uses request.getSession() :
> - in getLocale(request) : If validator is used (for example to validate login
> page) a session will allways be created
>
>
> Isn't they're any way NOT to create a session for a user that hasn't been
> authentified ?
>
> Nico.
>
Besides the places where Struts itself creates a session, if you're using JSP
you should be aware that every JSP page will create a session unless you tell
it not to:
<%@ page session="false" %>
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Kris Schneider <kr...@dotech.com>.
It sounds like the real issue is validator usage (I'm assuming you can avoid the
other features that cause session creation). How difficult would it be to do the
login validation "by hand"? I expect you're just verifying that something like a
user and password have been submitted (and maybe that they conform to some format).
Quoting Nicolas De Loof <ni...@cgey.com>:
> I would like to set my login JSP to have this directive (<%@ page
> session="false" %>)
> and others ones to be in WEB-INF (not visible to users)
>
> I use an application specific authentification.
>
> I would like any user (friend or hacker) to get access to the
> (internationalized) login page, be able commit login form
> to "/login.do", and use struts-validator to validate required inputs. For all
> this no session should be created. When
> user is authentified, access to other URIs of the applicaton are granted by a
> custom processRole.
>
> Nico.
>
>
>
> > How are you performing authentication? Depending on the process you're
> using, it
> > may be possible to avoid hitting any of those conditions until after it's
> > successful.
> >
> > P.S.
> > By default, a JSP will create a session if one doesn't already exist
> (nothing to
> > do with Struts), so any pages that can be hit by unauthenticated users
> should do:
> >
> > <%@ page session="false" %>
> >
> > Quoting Nicolas De Loof <ni...@cgey.com>:
> >
> > > I've made a grep on Struts 1.1 sources. I noticed some case where a
> session
> > > is created that seems to me 'uncontroled' :
> > >
> > >
> > > RequestProcessor uses request.getSession() :
> > > - in processLocale if controller is configured to use Locale (default =
> > > true)
> > >
> > > HTMLTag uses request.getSession() :
> > > - in currentLocale() : if any JSP uses <html:html> a session is created
> !
> > >
> > > o.a.s.validator.Ressouces uses request.getSession() :
> > > - in getLocale(request) : If validator is used (for example to validate
> login
> > > page) a session will allways be created
> > >
> > >
> > > Isn't they're any way NOT to create a session for a user that hasn't
> been
> > > authentified ?
> > >
> > > Nico.
> > >
> > >
> > >
> > >
> > >
> > > >
> > > > This is exactly what I'm looking for.
> > > >
> > > > For some of the applications I'm working on, my customers are
> paranoiac
> > > about security. I think that if a
> > > unauthentified
> > > > user is able to create a session on the server, it can expose the
> server to
> > > DOS attack, because every created session
> > > > will use some memory.
> > > >
> > > > It is realy simple to write a client that sends hundred of request to
> the
> > > server. If a session is created on each
> > > > request, server will quickly be out of memory (Session object +
> stored
> > > objects (Locale) size).
> > > >
> > > > If a session is created only for authentified users, server will
> survive
> > > such (simple) attack.
> > > >
> > > > Perhaps I'm wrong about this, if this scenario is stupid please tell
> me.
> > > >
> > > > For example, I've seen that RequestUtils.retrieveUserLocale() uses
> request
> > > scope if no session exists. This way, no
> > > > session is created when displaying a login JSP that uses i18n.
> > > >
> > > > With locale="true" (default) a new session is created when
> ActionServlet
> > > process a request. We need to set it to false
> > > > to control session creation. I want to know if they're is other
> Struts
> > > properties to set to avoid creating new session
> > > > for non-authentified user.
> > > >
> > > >
> > > > Nico.
> > > >
> > > >
> > > >
> > > > > Hi Manfred
> > > > >
> > > > > I think Nicolas is trying to find all places where Struts
> manipulates
> > > the
> > > > > session in some way..
> > > > >
> > > > > Locale=True does indeed manipulate the session..thus resulting in
> the
> > > > > session being created, if not already there.
> > > > >
> > > > > When no one (action, object, tag, whatever) has requested attributes
> to
> > > be
> > > > > stored in the session, no session object will exist..Session info
> > > (cookie,
> > > > > URL rewriting, etc) is only created if there are attributes on the
> > > Session
> > > > > object. Am I correct on this one??
> > > > >
> > > > > I don't understand WHY Nicolas does not want the session to be
> > > created...Is
> > > > > it because of memory usage...denial of service attacks...?
> > > > >
> > > > > Maybe, I don't understand, Nicolas, too...but it did gave my few
> > > pennies
> > > > > away :-)
> > > > >
> > > > > Regards
> > > > >
> > > > > Henrik
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Manfred Wolff" <ma...@manfred-wolff.de>
> > > > > To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> > > > > Sent: Thursday, January 08, 2004 3:22 PM
> > > > > Subject: Re: Configuring Struts NOT to create (unauthentified)
> sessions
> > > > >
> > > > >
> > > > > > Nicolas.
> > > > > >
> > > > > > I perhaps don't understand you. but (!) The locale attribut has
> > > nothing
> > > > > > to do with creating sessions! The locale attribute tells struts
> to
> > > save
> > > > > > a Locale-Object in the session, if there is nothing stored.
> > > > > >
> > > > > > Manfred
> > > > > >
> > > > > > Nicolas De Loof wrote:
> > > > > >
> > > > > > >Hy all,
> > > > > > >
> > > > > > >I would like Struts NOT to create a session for an
> unauthentified
> > > user.
> > > > > As far as I understand Struts code, I need to
> > > > > > >set locale="false" in struts-config.xml <controller>.
> > > > > > >
> > > > > > >Is they're any ohter Struts mecanism that can create a session
> > > (excluding
> > > > > action-mapping declared as scope="session") ?
> > > > > > >
> > > > > > >Doesn't the "locale" default value (true) expose lot's of struts
> > > > > application to attack ? (server Out of Memory because
> > > > > > >to much sessions have been created - isn't this what is called
> "Deny
> > > Of
> > > > > Service" ?)
> > > > > > >
> > > > > > >Nico.
> > > > > > >
> > > > > > >
> > > > > >
> > > >---------------------------------------------------------------------
> > > > > > >To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> > > > > > >For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > ===========================================
> > > > > > Dipl.-Inf. Manfred Wolff
> > > > > > -------------------------------------------
> > > > > > phone neusta : +49 421 20696-27
> > > > > > phone : +49 421 534522
> > > > > > mobil : +49 178 49 18 434
> > > > > > eFax : +49 1212 6 626 63 965 33
> > > > > > -------------------------------------------
> >
> > --
> > Kris Schneider <ma...@dotech.com>
> > D.O.Tech <http://www.dotech.com/>
--
Kris Schneider <ma...@dotech.com>
D.O.Tech <http://www.dotech.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Nicolas De Loof <ni...@cgey.com>.
I would like to set my login JSP to have this directive (<%@ page session="false" %>)
and others ones to be in WEB-INF (not visible to users)
I use an application specific authentification.
I would like any user (friend or hacker) to get access to the (internationalized) login page, be able commit login form
to "/login.do", and use struts-validator to validate required inputs. For all this no session should be created. When
user is authentified, access to other URIs of the applicaton are granted by a custom processRole.
Nico.
> How are you performing authentication? Depending on the process you're using, it
> may be possible to avoid hitting any of those conditions until after it's
> successful.
>
> P.S.
> By default, a JSP will create a session if one doesn't already exist (nothing to
> do with Struts), so any pages that can be hit by unauthenticated users should do:
>
> <%@ page session="false" %>
>
> Quoting Nicolas De Loof <ni...@cgey.com>:
>
> > I've made a grep on Struts 1.1 sources. I noticed some case where a session
> > is created that seems to me 'uncontroled' :
> >
> >
> > RequestProcessor uses request.getSession() :
> > - in processLocale if controller is configured to use Locale (default =
> > true)
> >
> > HTMLTag uses request.getSession() :
> > - in currentLocale() : if any JSP uses <html:html> a session is created !
> >
> > o.a.s.validator.Ressouces uses request.getSession() :
> > - in getLocale(request) : If validator is used (for example to validate login
> > page) a session will allways be created
> >
> >
> > Isn't they're any way NOT to create a session for a user that hasn't been
> > authentified ?
> >
> > Nico.
> >
> >
> >
> >
> >
> > >
> > > This is exactly what I'm looking for.
> > >
> > > For some of the applications I'm working on, my customers are paranoiac
> > about security. I think that if a
> > unauthentified
> > > user is able to create a session on the server, it can expose the server to
> > DOS attack, because every created session
> > > will use some memory.
> > >
> > > It is realy simple to write a client that sends hundred of request to the
> > server. If a session is created on each
> > > request, server will quickly be out of memory (Session object + stored
> > objects (Locale) size).
> > >
> > > If a session is created only for authentified users, server will survive
> > such (simple) attack.
> > >
> > > Perhaps I'm wrong about this, if this scenario is stupid please tell me.
> > >
> > > For example, I've seen that RequestUtils.retrieveUserLocale() uses request
> > scope if no session exists. This way, no
> > > session is created when displaying a login JSP that uses i18n.
> > >
> > > With locale="true" (default) a new session is created when ActionServlet
> > process a request. We need to set it to false
> > > to control session creation. I want to know if they're is other Struts
> > properties to set to avoid creating new session
> > > for non-authentified user.
> > >
> > >
> > > Nico.
> > >
> > >
> > >
> > > > Hi Manfred
> > > >
> > > > I think Nicolas is trying to find all places where Struts manipulates
> > the
> > > > session in some way..
> > > >
> > > > Locale=True does indeed manipulate the session..thus resulting in the
> > > > session being created, if not already there.
> > > >
> > > > When no one (action, object, tag, whatever) has requested attributes to
> > be
> > > > stored in the session, no session object will exist..Session info
> > (cookie,
> > > > URL rewriting, etc) is only created if there are attributes on the
> > Session
> > > > object. Am I correct on this one??
> > > >
> > > > I don't understand WHY Nicolas does not want the session to be
> > created...Is
> > > > it because of memory usage...denial of service attacks...?
> > > >
> > > > Maybe, I don't understand, Nicolas, too...but it did gave my few
> > pennies
> > > > away :-)
> > > >
> > > > Regards
> > > >
> > > > Henrik
> > > >
> > > > ----- Original Message -----
> > > > From: "Manfred Wolff" <ma...@manfred-wolff.de>
> > > > To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> > > > Sent: Thursday, January 08, 2004 3:22 PM
> > > > Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
> > > >
> > > >
> > > > > Nicolas.
> > > > >
> > > > > I perhaps don't understand you. but (!) The locale attribut has
> > nothing
> > > > > to do with creating sessions! The locale attribute tells struts to
> > save
> > > > > a Locale-Object in the session, if there is nothing stored.
> > > > >
> > > > > Manfred
> > > > >
> > > > > Nicolas De Loof wrote:
> > > > >
> > > > > >Hy all,
> > > > > >
> > > > > >I would like Struts NOT to create a session for an unauthentified
> > user.
> > > > As far as I understand Struts code, I need to
> > > > > >set locale="false" in struts-config.xml <controller>.
> > > > > >
> > > > > >Is they're any ohter Struts mecanism that can create a session
> > (excluding
> > > > action-mapping declared as scope="session") ?
> > > > > >
> > > > > >Doesn't the "locale" default value (true) expose lot's of struts
> > > > application to attack ? (server Out of Memory because
> > > > > >to much sessions have been created - isn't this what is called "Deny
> > Of
> > > > Service" ?)
> > > > > >
> > > > > >Nico.
> > > > > >
> > > > > >
> > > > >
> > >---------------------------------------------------------------------
> > > > > >To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > > > > >For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > --
> > > > > ===========================================
> > > > > Dipl.-Inf. Manfred Wolff
> > > > > -------------------------------------------
> > > > > phone neusta : +49 421 20696-27
> > > > > phone : +49 421 534522
> > > > > mobil : +49 178 49 18 434
> > > > > eFax : +49 1212 6 626 63 965 33
> > > > > -------------------------------------------
>
> --
> Kris Schneider <ma...@dotech.com>
> D.O.Tech <http://www.dotech.com/>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Kris Schneider <kr...@dotech.com>.
How are you performing authentication? Depending on the process you're using, it
may be possible to avoid hitting any of those conditions until after it's
successful.
P.S.
By default, a JSP will create a session if one doesn't already exist (nothing to
do with Struts), so any pages that can be hit by unauthenticated users should do:
<%@ page session="false" %>
Quoting Nicolas De Loof <ni...@cgey.com>:
> I've made a grep on Struts 1.1 sources. I noticed some case where a session
> is created that seems to me 'uncontroled' :
>
>
> RequestProcessor uses request.getSession() :
> - in processLocale if controller is configured to use Locale (default =
> true)
>
> HTMLTag uses request.getSession() :
> - in currentLocale() : if any JSP uses <html:html> a session is created !
>
> o.a.s.validator.Ressouces uses request.getSession() :
> - in getLocale(request) : If validator is used (for example to validate login
> page) a session will allways be created
>
>
> Isn't they're any way NOT to create a session for a user that hasn't been
> authentified ?
>
> Nico.
>
>
>
>
>
> >
> > This is exactly what I'm looking for.
> >
> > For some of the applications I'm working on, my customers are paranoiac
> about security. I think that if a
> unauthentified
> > user is able to create a session on the server, it can expose the server to
> DOS attack, because every created session
> > will use some memory.
> >
> > It is realy simple to write a client that sends hundred of request to the
> server. If a session is created on each
> > request, server will quickly be out of memory (Session object + stored
> objects (Locale) size).
> >
> > If a session is created only for authentified users, server will survive
> such (simple) attack.
> >
> > Perhaps I'm wrong about this, if this scenario is stupid please tell me.
> >
> > For example, I've seen that RequestUtils.retrieveUserLocale() uses request
> scope if no session exists. This way, no
> > session is created when displaying a login JSP that uses i18n.
> >
> > With locale="true" (default) a new session is created when ActionServlet
> process a request. We need to set it to false
> > to control session creation. I want to know if they're is other Struts
> properties to set to avoid creating new session
> > for non-authentified user.
> >
> >
> > Nico.
> >
> >
> >
> > > Hi Manfred
> > >
> > > I think Nicolas is trying to find all places where Struts manipulates
> the
> > > session in some way..
> > >
> > > Locale=True does indeed manipulate the session..thus resulting in the
> > > session being created, if not already there.
> > >
> > > When no one (action, object, tag, whatever) has requested attributes to
> be
> > > stored in the session, no session object will exist..Session info
> (cookie,
> > > URL rewriting, etc) is only created if there are attributes on the
> Session
> > > object. Am I correct on this one??
> > >
> > > I don't understand WHY Nicolas does not want the session to be
> created...Is
> > > it because of memory usage...denial of service attacks...?
> > >
> > > Maybe, I don't understand, Nicolas, too...but it did gave my few
> pennies
> > > away :-)
> > >
> > > Regards
> > >
> > > Henrik
> > >
> > > ----- Original Message -----
> > > From: "Manfred Wolff" <ma...@manfred-wolff.de>
> > > To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> > > Sent: Thursday, January 08, 2004 3:22 PM
> > > Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
> > >
> > >
> > > > Nicolas.
> > > >
> > > > I perhaps don't understand you. but (!) The locale attribut has
> nothing
> > > > to do with creating sessions! The locale attribute tells struts to
> save
> > > > a Locale-Object in the session, if there is nothing stored.
> > > >
> > > > Manfred
> > > >
> > > > Nicolas De Loof wrote:
> > > >
> > > > >Hy all,
> > > > >
> > > > >I would like Struts NOT to create a session for an unauthentified
> user.
> > > As far as I understand Struts code, I need to
> > > > >set locale="false" in struts-config.xml <controller>.
> > > > >
> > > > >Is they're any ohter Struts mecanism that can create a session
> (excluding
> > > action-mapping declared as scope="session") ?
> > > > >
> > > > >Doesn't the "locale" default value (true) expose lot's of struts
> > > application to attack ? (server Out of Memory because
> > > > >to much sessions have been created - isn't this what is called "Deny
> Of
> > > Service" ?)
> > > > >
> > > > >Nico.
> > > > >
> > > > >
> > > >
> >---------------------------------------------------------------------
> > > > >To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > > > >For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > > > >
> > > > >
> > > > >
> > > >
> > > > --
> > > > ===========================================
> > > > Dipl.-Inf. Manfred Wolff
> > > > -------------------------------------------
> > > > phone neusta : +49 421 20696-27
> > > > phone : +49 421 534522
> > > > mobil : +49 178 49 18 434
> > > > eFax : +49 1212 6 626 63 965 33
> > > > -------------------------------------------
--
Kris Schneider <ma...@dotech.com>
D.O.Tech <http://www.dotech.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Nicolas De Loof <ni...@cgey.com>.
I've made a grep on Struts 1.1 sources. I noticed some case where a session is created that seems to me 'uncontroled' :
RequestProcessor uses request.getSession() :
- in processLocale if controller is configured to use Locale (default = true)
HTMLTag uses request.getSession() :
- in currentLocale() : if any JSP uses <html:html> a session is created !
o.a.s.validator.Ressouces uses request.getSession() :
- in getLocale(request) : If validator is used (for example to validate login page) a session will allways be created
Isn't they're any way NOT to create a session for a user that hasn't been authentified ?
Nico.
>
> This is exactly what I'm looking for.
>
> For some of the applications I'm working on, my customers are paranoiac about security. I think that if a
unauthentified
> user is able to create a session on the server, it can expose the server to DOS attack, because every created session
> will use some memory.
>
> It is realy simple to write a client that sends hundred of request to the server. If a session is created on each
> request, server will quickly be out of memory (Session object + stored objects (Locale) size).
>
> If a session is created only for authentified users, server will survive such (simple) attack.
>
> Perhaps I'm wrong about this, if this scenario is stupid please tell me.
>
> For example, I've seen that RequestUtils.retrieveUserLocale() uses request scope if no session exists. This way, no
> session is created when displaying a login JSP that uses i18n.
>
> With locale="true" (default) a new session is created when ActionServlet process a request. We need to set it to false
> to control session creation. I want to know if they're is other Struts properties to set to avoid creating new session
> for non-authentified user.
>
>
> Nico.
>
>
>
> > Hi Manfred
> >
> > I think Nicolas is trying to find all places where Struts manipulates the
> > session in some way..
> >
> > Locale=True does indeed manipulate the session..thus resulting in the
> > session being created, if not already there.
> >
> > When no one (action, object, tag, whatever) has requested attributes to be
> > stored in the session, no session object will exist..Session info (cookie,
> > URL rewriting, etc) is only created if there are attributes on the Session
> > object. Am I correct on this one??
> >
> > I don't understand WHY Nicolas does not want the session to be created...Is
> > it because of memory usage...denial of service attacks...?
> >
> > Maybe, I don't understand, Nicolas, too...but it did gave my few pennies
> > away :-)
> >
> > Regards
> >
> > Henrik
> >
> > ----- Original Message -----
> > From: "Manfred Wolff" <ma...@manfred-wolff.de>
> > To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> > Sent: Thursday, January 08, 2004 3:22 PM
> > Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
> >
> >
> > > Nicolas.
> > >
> > > I perhaps don't understand you. but (!) The locale attribut has nothing
> > > to do with creating sessions! The locale attribute tells struts to save
> > > a Locale-Object in the session, if there is nothing stored.
> > >
> > > Manfred
> > >
> > > Nicolas De Loof wrote:
> > >
> > > >Hy all,
> > > >
> > > >I would like Struts NOT to create a session for an unauthentified user.
> > As far as I understand Struts code, I need to
> > > >set locale="false" in struts-config.xml <controller>.
> > > >
> > > >Is they're any ohter Struts mecanism that can create a session (excluding
> > action-mapping declared as scope="session") ?
> > > >
> > > >Doesn't the "locale" default value (true) expose lot's of struts
> > application to attack ? (server Out of Memory because
> > > >to much sessions have been created - isn't this what is called "Deny Of
> > Service" ?)
> > > >
> > > >Nico.
> > > >
> > > >
> > > >---------------------------------------------------------------------
> > > >To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > > >For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > > >
> > > >
> > > >
> > >
> > > --
> > > ===========================================
> > > Dipl.-Inf. Manfred Wolff
> > > -------------------------------------------
> > > phone neusta : +49 421 20696-27
> > > phone : +49 421 534522
> > > mobil : +49 178 49 18 434
> > > eFax : +49 1212 6 626 63 965 33
> > > -------------------------------------------
> > > ____________________________________________________
> > > Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich
> > geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder
> > diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
> > Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die
> > unbefugte Weitergabe dieser Mail ist nicht gestattet.
> > >
> > > This e-mail may contain confidential and/or privileged information. If you
> > are not the intended recipient (or have received this e-mail in error)
> > please notify the sender immediately and destroy this e-mail. Any
> > unauthorised copying, disclosure or distribution of the material in this
> > e-mail is strictly forbidden.
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Nicolas De Loof <ni...@cgey.com>.
This is exactly what I'm looking for.
For some of the applications I'm working on, my customers are paranoiac about security. I think that if a unauthentified
user is able to create a session on the server, it can expose the server to DOS attack, because every created session
will use some memory.
It is realy simple to write a client that sends hundred of request to the server. If a session is created on each
request, server will quickly be out of memory (Session object + stored objects (Locale) size).
If a session is created only for authentified users, server will survive such (simple) attack.
Perhaps I'm wrong about this, if this scenario is stupid please tell me.
For example, I've seen that RequestUtils.retrieveUserLocale() uses request scope if no session exists. This way, no
session is created when displaying a login JSP that uses i18n.
With locale="true" (default) a new session is created when ActionServlet process a request. We need to set it to false
to control session creation. I want to know if they're is other Struts properties to set to avoid creating new session
for non-authentified user.
Nico.
> Hi Manfred
>
> I think Nicolas is trying to find all places where Struts manipulates the
> session in some way..
>
> Locale=True does indeed manipulate the session..thus resulting in the
> session being created, if not already there.
>
> When no one (action, object, tag, whatever) has requested attributes to be
> stored in the session, no session object will exist..Session info (cookie,
> URL rewriting, etc) is only created if there are attributes on the Session
> object. Am I correct on this one??
>
> I don't understand WHY Nicolas does not want the session to be created...Is
> it because of memory usage...denial of service attacks...?
>
> Maybe, I don't understand, Nicolas, too...but it did gave my few pennies
> away :-)
>
> Regards
>
> Henrik
>
> ----- Original Message -----
> From: "Manfred Wolff" <ma...@manfred-wolff.de>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Thursday, January 08, 2004 3:22 PM
> Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
>
>
> > Nicolas.
> >
> > I perhaps don't understand you. but (!) The locale attribut has nothing
> > to do with creating sessions! The locale attribute tells struts to save
> > a Locale-Object in the session, if there is nothing stored.
> >
> > Manfred
> >
> > Nicolas De Loof wrote:
> >
> > >Hy all,
> > >
> > >I would like Struts NOT to create a session for an unauthentified user.
> As far as I understand Struts code, I need to
> > >set locale="false" in struts-config.xml <controller>.
> > >
> > >Is they're any ohter Struts mecanism that can create a session (excluding
> action-mapping declared as scope="session") ?
> > >
> > >Doesn't the "locale" default value (true) expose lot's of struts
> application to attack ? (server Out of Memory because
> > >to much sessions have been created - isn't this what is called "Deny Of
> Service" ?)
> > >
> > >Nico.
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > >For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > >
> > >
> > >
> >
> > --
> > ===========================================
> > Dipl.-Inf. Manfred Wolff
> > -------------------------------------------
> > phone neusta : +49 421 20696-27
> > phone : +49 421 534522
> > mobil : +49 178 49 18 434
> > eFax : +49 1212 6 626 63 965 33
> > -------------------------------------------
> > ____________________________________________________
> > Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich
> geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder
> diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
> Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die
> unbefugte Weitergabe dieser Mail ist nicht gestattet.
> >
> > This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorised copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by HG <st...@nospam.websolver.dk>.
Hi Manfred
I think Nicolas is trying to find all places where Struts manipulates the
session in some way..
Locale=True does indeed manipulate the session..thus resulting in the
session being created, if not already there.
When no one (action, object, tag, whatever) has requested attributes to be
stored in the session, no session object will exist..Session info (cookie,
URL rewriting, etc) is only created if there are attributes on the Session
object. Am I correct on this one??
I don't understand WHY Nicolas does not want the session to be created...Is
it because of memory usage...denial of service attacks...?
Maybe, I don't understand, Nicolas, too...but it did gave my few pennies
away :-)
Regards
Henrik
----- Original Message -----
From: "Manfred Wolff" <ma...@manfred-wolff.de>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Thursday, January 08, 2004 3:22 PM
Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
> Nicolas.
>
> I perhaps don't understand you. but (!) The locale attribut has nothing
> to do with creating sessions! The locale attribute tells struts to save
> a Locale-Object in the session, if there is nothing stored.
>
> Manfred
>
> Nicolas De Loof wrote:
>
> >Hy all,
> >
> >I would like Struts NOT to create a session for an unauthentified user.
As far as I understand Struts code, I need to
> >set locale="false" in struts-config.xml <controller>.
> >
> >Is they're any ohter Struts mecanism that can create a session (excluding
action-mapping declared as scope="session") ?
> >
> >Doesn't the "locale" default value (true) expose lot's of struts
application to attack ? (server Out of Memory because
> >to much sessions have been created - isn't this what is called "Deny Of
Service" ?)
> >
> >Nico.
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
> >
> >
>
> --
> ===========================================
> Dipl.-Inf. Manfred Wolff
> -------------------------------------------
> phone neusta : +49 421 20696-27
> phone : +49 421 534522
> mobil : +49 178 49 18 434
> eFax : +49 1212 6 626 63 965 33
> -------------------------------------------
> ____________________________________________________
> Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich
geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder
diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die
unbefugte Weitergabe dieser Mail ist nicht gestattet.
>
> This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Configuring Struts NOT to create (unauthentified) sessions
Posted by Manfred Wolff <ma...@manfred-wolff.de>.
Nicolas.
I perhaps don't understand you. but (!) The locale attribut has nothing
to do with creating sessions! The locale attribute tells struts to save
a Locale-Object in the session, if there is nothing stored.
Manfred
Nicolas De Loof wrote:
>Hy all,
>
>I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to
>set locale="false" in struts-config.xml <controller>.
>
>Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope="session") ?
>
>Doesn't the "locale" default value (true) expose lot's of struts application to attack ? (server Out of Memory because
>to much sessions have been created - isn't this what is called "Deny Of Service" ?)
>
>Nico.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
--
===========================================
Dipl.-Inf. Manfred Wolff
-------------------------------------------
phone neusta : +49 421 20696-27
phone : +49 421 534522
mobil : +49 178 49 18 434
eFax : +49 1212 6 626 63 965 33
-------------------------------------------
____________________________________________________
Diese E-Mail enthält möglicherweise vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org