Hashed Code
by Ellis Morning
in Feature Articles
on 2013-10-16
Jan had been tasked with digging into a Java web application exhibiting odd behavior. New users couldn’t create accounts, and existing users sometimes found themselves logged in as other people. Concern about sensitive personal data being exposed to the wrong individuals had raised many corporate hackles, especially within the Legal department. While unresolved, the issue left the company open to litigation.
It was easy to rule out a state management issue. After that, Jan traced a typical login, and noticed something odd. The ID for his test account was 102, a value that came from an autonumbered column in the backend database. However, the application had to pass user data to an external vendor’s iFrame, which had its own mechanism for handling user states. Inside the iFrame, Jan’s ID was 48627.