stackoom
  简体   繁体   中英

Scala Play security issue

 原文  2013-11-18 11:24:43       security/ scala/ playframework/ playframework-2.0

Question

I'm trying to develop web site, using scala play and finded 1 ussue during "login page".

I'm asking login and password, then i store password with help of this code:

Redirect(routes.UserPage.form(useremailverify.username)).withSession("name" -> useremailverify.username,"guid" -> md5hash1)

But suddenly i finded out that it is gloabal session! It's global to all users. You just could check it navigating http://pickti.me/emailVerificationForm , where you'll se in right top corner that you're logged in already! Does any1 know how to create this sessions new for each users ?

UDP 1: On form i check if user logged that way: 

request =>
  request.session.get("name").map { userName =>
    username = userName
  }

so if username is not blank - user is logged in

UPD 2: If i'll try:

Redirect(routes.UserPage.form(useremailverify.username)).newSession.withSession("name" -> useremailverify.username,"guid" -> md5hash1)

I get compilation error:

value newSession is not a member of play.api.mvc.SimpleResult[play.api.mvc.Results.EmptyContent]

UPD 3: Code: Redirect(routes.UserPage.form(usersignin.email)).withNewSession("name" -> usersignin.email,"guid" -> md5hash1)

Error:

play.api.mvc.PlainResult does not take parameters

Whithout error is only (but this code dont save data for more than 1 navigation): Redirect(routes.UserPage.form(usersignin.email)).withNewSession.flashing("name" -> usersignin.email,"guid" -> md5hash1)

UPD 4:

Correct way to use withNewSession (BUT it didn't solve main problem...): Redirect(routes.UserPage.form(useremailverify.username)).withNewSession.withSession("name" -> useremailverify.username,"guid" -> md5hash1)

UPD 5:

Coockie PLAY_SESSION contains that: "043455c05b1481c501a61167f5dd09e7ec73e693-name=starbucks%40picktime.ru&guid=d7d4c9c3f078d150effbef5e0706c557", so data is gathered from cookie... =(

UDP 6:

Changed version of Play Framework to 2.2.1, but problem is still alive.

1 answers

solution1
 0  2013-11-19 06:08:02

withSession does not set the cookie for all the users. So i think your check is not OK. I am working on a new Security Framework for Play with name PlayGuard! You can use this framework or You can see its code and solve your problem.

https://github.com/psycho-ir/PlayGuard-module

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to implement security Authorization using scala and play? Play framework security issue regarding cookies and sessions Get hostname from request in Play Framework. Security issue? Can't update alpha channel on Google Play Store for security issue, but no security issues are listed Security of scala runtime Scala web application security Scala Remote Actor Security Security issue? Security with Play! from Outside Application How to read cookies in Scala play?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM