[OWASP-ESAPI] Shameless Blog Plug

Chris Schmidt chrisisbeef at gmail.com
Thu Aug 6 15:26:54 EDT 2009

I am torn on this - mainly because providing such a method on an API
interface really leaves the door open for some REALLY bad implementation
code if someone brews their own implementation to the API method.

Also, it really doesn't by definition enforce the fact that lock objects
need to be final. I thought for a split second about suggesting a method
that handled synchronization for you, performSafeOperation() but even that
isn't really good in practice, and also has risk for failure since
parameters are passed by value, not by reference.

I would love to hear what everyone else thinks on the matter tho. Perhaps I
am being too much of a purist in my thinking here.

On Thu, Aug 6, 2009 at 11:47 AM, Dan Cornell <dan at denimgroup.com> wrote:

> > I have been, and will continue to be talking about ESAPI on my
> > relatively new blog so it would be awesome to get everyone here over
> to
> > read and follow and comment and so forth and start building my blogs
> > footprint on the interwebz.
> >
> > You can check it out at http://yet-another-dev.blogspot.com
> >
> You made a great point that I've seen come up a couple of times recently
> in this post:
> <http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.h
> tml<http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.h%0Atml>
> >
> Would it make sense to add an ESAPI method that would return:
> request.getSession().getId().intern()
> Perhaps a method like:
> getSessionSynchronizationObject()
> I'd need to re-review the API docs to see exactly where this might fit
> best, but that might be a way to promote the "correct" use of session
> synchronization.
> Of course, if you know that there is a "correct" way to do session
> synchronization, you probably already know how to do this and wouldn't
> need a helper method :)
> Thanks,
> Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090806/6dcbf82b/attachment.html 

More information about the OWASP-ESAPI mailing list