java - is removing user credentials from session in addition to invalidate() superfluous? -


i looking @ legacy code base (at least ten years old) featuring amounts jsp model 2 architecture (basically servlets , jsp pages).

i noticing code following:

session.removeattribute("loginbean"); session.invalidate();

is there benefit in removing user credentials session. shouldn't invalidate alone sufficient? invalidate documentation seems pretty clear on subject.

is there benefit in removing user credentials session. shouldn't invalidate alone sufficient ?

yes, there benefit , best practice remove sensitive information usercredentials object before invalidating httpsession security perspective explained below:

when call invalidate() on httpsession object, j2ee container internally triggers httpsessionlistener sessiondestroyed(httpsessionevent se) method. so, if don't remove usercreadentials object session, can still able retrieve inside sessiondestroyed method.

so, point is best practice remove sensitive information httpsession/cache/etc.. know data no longer required object (like usercredentials) no more reachable, reduce scope misuse.

you can @ guideline 2-2 below quote java secure coding guide:

some information, such social security numbers (ssns) , passwords, highly sensitive. information should not kept longer necessary nor may seen, administrators.

you can @ here


-

Comments

Post a Comment

Popular posts from this blog

java - SSE Emitter : Manage timeouts and complete() -

i writing web app multiple listeners(evcentsource sse clients js) connected server . want store sse emitter per connected listener : can done in memory or other means assigning id each client able achieve far now question ; how send response/event specific client connected web app ? while doing sseemmiters stored either getting completed or timed out. how prevent ? how keep sseemmiter available open infinite time (till client closes) , send events selectively .
Read more

jquery - uncaught exception: DataTables Editor - remote hosting of code not allowed -

i'm trying implement crud operation using datatableseditor using datatables.but i'm getting error messages: 1)uncaught exception: datatables editor - remote hosting of code not allowed. please see http://editor.datatables.net details on how purchase editor license 2)typeerror: a.editor undefined 3) $.fn.datatable.editor not constructor" what reason? here configuration: <%@ page language="java" contenttype="text/html; charset=iso-8859-1" pageencoding="iso-8859-1"%> <!doctype html public "-//w3c//dtd html 4.01 transitional//en" "http://www.w3.org/tr/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <title>insert title here</title> <link rel="stylesheet" type="text/css" href="//cdn.datatables.net/1.10.12/css/jquery.datatables.min.css"> <link re...
Read more

java - How to resolve error - package com.squareup.okhttp3 doesn't exist? -

i trying convert json java object use of gson in maven, following youtube video guidance - https://www.youtube.com/watch?v=vqgghm9pwe0 , theres error occurs when in main class error - package com.squareup.okhttp3 doesn't exist. code below: java package com.codebeasty.json; import com.squareup.okhttp3.okhttpclient; public class main { private static okhttpclient client = new okhttpclient(); public static void main (string [] args) { } } i put in dependency in pom.xml: <dependencies> <dependency> <groupid>com.squareup.okhttp3</groupid> <artifactid>okhttp</artifactid> <version>3.4.2</version> </dependency> <dependency> <groupid>com.google.code.gson</groupid> <artifactid>gson</artifactid> <version>2.8.0</version> </dependency> </dependencies> i dont understand why doesn't recognize com.squareup. there may need download? have downl...
Read more