Back to Security Pattern Catalog
Secure Session Object
: Core Security, Information Disclosure
A multi-user, multi-application distributed system needs a mechanism to allow global accessibility to the security context associated with a client session and secure transmission of the security context among the distributed applications, each with its own address space. The developer has to design a standardized structure and interface to the security context. If the context is not retained users have to authenticate for every request that they make. The contest has to be protected from malicious code that might try to use reflection to get private members of an object. Hackers could sniff the serialized session object while in transit and misuse the data. Session object information may be printed in the log file by components.
How can the context be saved and routed securely?
Abstract the encapsulation of authentication and authorization credentials that are passed across boundaries into a session object. Encapsulate authentication and authorization information like credentials, roles and privileges and use them for secure transport. Replace the abstract concept with vendor specific implementation. Make sure the session object does not inadvertently expose data to non-privileged entities.
A Web service implementation in J2EE keeping session information.
Last modified: May 05, 2012
and Maintained by: Munawar Hafiz