web security hw#663
Conversation
…with the time zone, so I added two hours
| + ", name='" + name + '\'' | ||
| + ", licenseNumber='" + licenseNumber + '\'' | ||
| + ", login='" + login + '\'' | ||
| + ", password='" + password + '\'' |
There was a problem hiding this comment.
Never include sensitive data like user's password in the toString() method. This can lead to unintended exposure of sensitive data.
| protected void doGet(HttpServletRequest req, HttpServletResponse resp) | ||
| throws ServletException, IOException { | ||
| req.getSession().invalidate(); | ||
| req.getRequestDispatcher("/WEB-INF/views/login.jsp").forward(req,resp); |
There was a problem hiding this comment.
After invalidating the session, you should redirect the user to the login page instead of forwarding. Forwarding keeps the original request URL in the browser address bar, which could lead to unexpected behavior if the user refreshes the page.
| String name = resultSet.getString("name"); | ||
| String licenseNumber = resultSet.getString("license_number"); | ||
| String login = resultSet.getString("login"); | ||
| String password = resultSet.getString("password"); |
There was a problem hiding this comment.
You are trying to get the 'password' field from the result set, but 'password' field is not included in SQL query. You need to add 'password' in your SQL query.
|
|
||
| @Override | ||
| public Driver login(String login, String password) throws AuthenticationException { | ||
| Optional<Driver> driver = Optional.ofNullable(driverService.findByLogin(login)); |
There was a problem hiding this comment.
The 'Optional.ofNullable' call is unnecessary here because the 'driverService.findByLogin(login)' method should already return an Optional. Instead of using 'Optional.ofNullable', you should expect 'driverService.findByLogin(login)' to return an Optional.
| Driver driver = authenticationService.login(login,password); | ||
| HttpSession session = req.getSession(); | ||
| session.setAttribute("driver_id", driver.getId()); | ||
| resp.sendRedirect("/index"); |
There was a problem hiding this comment.
Checklist item:
If you use sendRedirect() method in your controllers, please pass request.getContextPath() + "/your-endpoint" as a parameter. Currently, the context path is empty, but if it is not, your code still should work.
Please recheck all occurrences
| && Objects.equals(password, driver.password); | ||
| } | ||
|
|
||
| @Override | ||
| public int hashCode() { | ||
| return Objects.hash(id, name, licenseNumber); | ||
| return Objects.hash(id, name, licenseNumber, login, password); |
There was a problem hiding this comment.
Do not include password into equals/hashCode methods. Further password will not be stored as plain text, it will be hashed and this may cause unpredictable behaviour
Co-authored-by: Oleksandr Kovalenko <85791855+olekskov@users.noreply.github.com>
…security into secutiryWebBranch
3 participants
No description provided.