I have recently started to maintain an online system. It is using JSF with PrimeFaces for the front end, with a Java backend. JSF is a new technology for me.
During the login process the whole user table (including clear text passwords (will soon be fixed)) are loaded into a HttpSession attribute, and referenced in other parts of the system. The system has less than 50 users, so the size of data is not a big concern to me.
The fact that all the user data are riding in the session is however a concern.
Do I worry needlessly, or is there a way to gain access to this information via a client side exploit? Is there any other reasons I can put on my manager's table as justification for a urgent rewrite of this mechanism?
Abbreviated code below:
login.xhtml
<p:inputText id="username" value="#{userBean.userName}" name="username"></p:inputText>
<p:password id="password" value="#{userBean.password}"></p:password>
<p:commandButton id="loginSubmit" value="Login" action="#{userBean.auth}"></p:commandButton>
UserBean.java
@ManagedBean(name = "userBean")
@SessionScoped
public class UserBean {
public String auth() {
// ...
FacesContext fctx = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession) fctx.getExternalContext().getSession(true);
HashMap<Long, UserDetail> usersMap = dbBean.getAllUserDetails();
session.setAttribute("usersMap", usersMap);
// ...
}
}
Although comments answered your question, let's sum it up :
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With