Back to Security Pattern Catalog




Secure Session Object


Classification Key : Core Security, Information Disclosure

Problem

A multi-user, multi-application distributed system needs a mechanism to allow global accessibility to the security context associated with a client session and secure transmission of the security context among the distributed applications, each with its own address space. The developer has to design a standardized structure and interface to the security context. If the context is not retained users have to authenticate for every request that they make. The contest has to be protected from malicious code that might try to use reflection to get private members of an object. Hackers could sniff the serialized session object while in transit and misuse the data. Session object information may be printed in the log file by components. How can the context be saved and routed securely?

Solution

Abstract the encapsulation of authentication and authorization credentials that are passed across boundaries into a session object. Encapsulate authentication and authorization information like credentials, roles and privileges and use them for secure transport. Replace the abstract concept with vendor specific implementation. Make sure the session object does not inadvertently expose data to non-privileged entities.

Known Uses

A Web service implementation in J2EE keeping session information.

Related Patterns

Security Session

Source

Sun Book

Tags

Session, State


 

Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz