Re: UU code

["Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>]

That's not good enough. Here is a scenario:
1. User one sends a request that performs a login.
2. User 2 sends another request, that does not perform a login
(due to bug or just the fact that no login is needed)
3. There is an SQL injection bug in page2. Thus User2
   has full rights of user1 while doing his nasty stuff.



Alexey Parshin wrote:
> Actually, the login procedure takes care of user records in
> session_info. It always be zero or one record there.
>
> 2007/3/16, Ilya A. Volynets-Evenbakh < ilya@total-knowledge.com
> <mailto:ilya@total-knowledge.com>>:
>
>     sergey@total-knowledge.com <mailto:sergey@total-knowledge.com> wrote:
>     > In this case, I guess the solution is:
>     >
>     > In Header.csp
>     >
>     > <% if(request.hasAttribute("UserId")) { %>
>     > <input type="hidden" name="userid" value="<%=
>     > request.getAttribute<std::string>("UserId") %>"
>     > <% } %>
>     >
>     This isn't going to do you any good. You will not always have single
>     form to submit. This info should be kept inside of session.
>     > In UUServlet new operation
>     >
>     > void UUServlet::setEnvironment(HttpServletRequest& req){
>     > string userid = req.getParameter("userid");
>     > if(userid)
>     >   req.setAttribute("UserId", setattr_t(new string(userid)));
>     > }
>     >
>     No. User ID should be dealt with at login time, and saved in session.
>     Do not pass it around the network all the time - it's waste of
>     resources.
>     > setEnvironment() can be used for setting other global parameters
>     and will
>     > be called in each servlet service() function.
>     >
>     That might be good idea. Needs more detailed thinking. One thing
>     is that you don't really want to rely on every service function
>     calling
>     this explicitly (you'll forget to call it at some point in time, I
>     can
>     guarantee you that ;-)
>     > <snip getSessionInfo stuff>
>     >
>     You may want to change all that to key the temp login table
>     off of session ID rather then user ID. This way you don't need to
>     save any extra info in session itself.
>
>     BTW, the alternative path (clearing the temp table after processing
>     every request) is also implementable - if we make our DB
>     connection pool
>     take care of that.
>
>     >> Guys, don't forget that database connections will be
>     >> pooled. That means there will be different requests
>     >> from _different_ users handled by the same connection.
>     >> This, in turn, means that unless someone takes care
>     >> of cleaning up the table after each request, there could
>     >> be more then one record in there.
>     >>
>     >>
>     >> sergey@total-knowledge.com <mailto:sergey@total-knowledge.com>
>     wrote:
>     >>
>     >>> Understood.
>     >>> Here is my version:
>     >>>
>     >>>   bool isValid = false;
>     >>>   try {
>     >>>     CQuery qrySelect(&db,"select si_person from session_info");
>     >>>     qrySelect.open();
>     >>>     while ( ! qrySelect.eof() ) {
>     >>>       isValid = true;
>     >>>       qrySelect.fetch();
>     >>>     }
>     >>>     qrySelect.close();
>     >>>   }
>     >>>   catch (exception& e) {
>     >>>     cout<<"\nError: " <<e.what();
>     >>>   }
>     >>>   return isValid;
>     >>>
>     >>>
>     >>> I know it's supposed to be only one record in session_info
>     table, but
>     >>> still prefer to loop since it's a select query.
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>> Actually, the "no record test" is better to do not as:
>     >>>>
>     >>>> if (!user_id)
>     >>>>
>     >>>> but as (right after query_open()):
>     >>>>
>     >>>> if (query.eof())
>     >>>>
>     >>>> 2007/3/15, Alexey Parshin < alexeyp@gmail.com
>     <mailto:alexeyp@gmail.com>>:
>     >>>>
>     >>>>
>     >>>>> int user_id = 0;
>     >>>>> string user_name;
>     >>>>> try {
>     >>>>>    Query query(&db,"select si_person, si_person_name from
>     >>>>> session_info");
>     >>>>>    query.open();
>     >>>>>    user_id = query[0];
>     >>>>>    user_name = query[1];
>     >>>>>    query.close ();
>     >>>>>    if (!user_id)
>     >>>>>       throw CException("User not logged in");
>     >>>>> }
>     >>>>> catch (exception& e) {
>     >>>>>    cout << "OOPS, " << e.what() << endl;
>     >>>>> }
>     >>>>>
>     >>>>> 2007/3/15, sergey@total-knowledge.com
>     <mailto:sergey@total-knowledge.com> < sergey@total-knowledge.com
>     <mailto:sergey@total-knowledge.com>>:
>     >>>>>
>     >>>>>
>     >>>>>> In order to perform authentication on each application page
>     I need to
>     >>>>>> find
>     >>>>>> out if user with certain ID exist in session_info table.
>     >>>>>> I want to make sure that I understand how it will work, so the
>     >>>>>>
>     >>>>>>
>     >>>>> question
>     >>>>>
>     >>>>>
>     >>>>>> is:
>     >>>>>>
>     >>>>>> 1. If session_info table exist.
>     >>>>>> AND
>     >>>>>> 2. There is a one entry there (doesn't matter what the
>     value is).
>     >>>>>>
>     >>>>>> it means that current user is logged in.
>     >>>>>>
>     >>>>>> Is it true?
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>> --
>     >>>>> Alexey Parshin,
>     >>>>> http://www.sptk.net
>     >>>>>
>     >>>>>
>     >>>>>
>     >>>> --
>     >>>> Alexey Parshin,
>     >>>> http://www.sptk.net <http://www.sptk.net>
>     >>>>
>     >>>>
>     >>>>
>     >>>
>     >>>
>     >> --
>     >> Ilya A. Volynets-Evenbakh
>     >> Total Knowledge. CTO
>     >> http://www.total-knowledge.com
>     >>
>     >>
>     >>
>     >
>     >
>     >
>
>     --
>     Ilya A. Volynets-Evenbakh
>     Total Knowledge. CTO
>     http://www.total-knowledge.com <http://www.total-knowledge.com>
>
>
>
>
> -- 
> Alexey Parshin,
> http://www.sptk.net 

-- 
Ilya A. Volynets-Evenbakh
Total Knowledge. CTO
http://www.total-knowledge.com