Reputation: 23025
Securely passing parameters in JSP/Servlet (No Frameworks)
We have a JSP page and a Servlet page, where we pass the parameters via URL from JSP to Servlet. Below is the JSP link
<a href="OpenServlet?idClient=23">Allergies</a>
In our servlet, we do some process like below.
int id = Integer.parseInt(request.getParameter("idClient"));
//Do the work
RequestDispatcher d = request.getRequestDispatcher("view.jsp");
d.forward(request,response);
Unfortunately this makes the idClient 100% visible and it is also editable. We have noticed that the user can simply edit the idClient from the URL and access other client information too! Not only that, any one can access anyones info, whether the client is belong to them or not!
How can we stop this?
Upvotes: 0
Views: 284
Answers (1)
Reputation: 58868
Get the logged-in user.
Check whether that user is supposed to be able to access this client's details.
If not, return an error page instead of the client details page.
I can't be more specific without knowing the details of your existing code and database structure.
Upvotes: 2
Related Questions
- pass parameter from jsp to servlet
- how to encrypt/encode url parameters in jsp
- Pass URL parameter from JSP to Servlet
- How to hide passed request parameters from the user?
- Passing Parameters in JSP to Servlet
- Servlet Parameter Encryption
- pass parameters from servlet to jsp page
- jsp to servlet communication with parameters from URL, not a form
- How to use getParameter in jsp the safe way
- Passing JSP encrypted parameters to a servlet