Wednesday, July 20, 2011

About session security

Today I read a good article regarding session security, I want to share with you.

Please click for article

Below it is the summary.

Always regenerate a session ID (SID) when elevating privileges or changing between HTTP and HTTPS.
Check for suspicious activity and immediately destroy any suspect session.
Store all session information server-side, never store anything except the SID in the client-side cookie.
Confirm SIDs aren't from an external source, and verify the session was generated by your server.
Don't append the SID to URLs as a GET parameter.
Expire sessions on the server side, don't rely on cookie expiration to end a user session.
Use long and unpredictable session IDs.
Properly sanitize user input before setting headers with them.
When a user logs out, destroy their session explicitly on the server.
Check your session configuration.
Force users to re-authenticate on any destructive or critical actions.

Tuesday, July 19, 2011

Spring singleton and prototype

Recently I was asked something regarding spring singleton, below are some of my thought.

1. First Spring singleton is not same as java singleton. For example.

SampleBean beanOne = (SampleBean)context.getBean(“sampleBean1”);
SampleBean beanTwo = (SampleBean)context.getBean(“sampleBean2”);

Evern in spring application context, samepleBean1 and sampleBean2 refer to the same implementation, they are still not the same.

In Java singleton, they are the same thing.

2. For exmaple:
SampleBean beanOne = (SampleBean)context.getBean(“sampleBean”);
SampleBean beanTwo = (SampleBean)context.getBean(“sampleBean”);

Under singleton scope, beanOne is the same as beanTwo.
Under prototype scope, beanOne <> beanTwo