From: Adam Flinton 

Paul Ranson wrote:
> If your db connection is held in a session then I have a trival DoS
> opportunity. This is nothing to do with C++, rather with unsafe practices
> when writing web apps...
>

Really? So given you have to login & be authenticated before the DB
conn is created within the session & that only one session can exist
per user, I am curious what this DoS attack wwill be.


Adam

> Paul
>
> "Adam Flinton"  wrote in message
> news:4292ed4d$1{at}w3.nls.net...
>
>>Paul Ranson wrote:
>>
>>>The 'Web app' serves up a page at a time, all the db access is done from
>>>the web server, so the web app needs a connection for each page served.
>>
>>Huh? Blimey. No sessions in C+++ land?
>>
>>
>>
>>>It should get one from the pool at the start of page processing and
>>>return it at the end.
>>
>>Good lord. No wonder people don't use C++ for web apps.
>>
>>
>>>Using a pool means this is very cheap compared to an actual db query.
>>
>>Yes but why when you can just go from page to page within a single
>>session?
>>
>>
>>
>>>User authentication should be separate and not attached to a specific db
>>>connection. Or am I missing something?
>>>
>>
>>
>>Depends on the app. A number of the secure web apps use say an LDAP ID
>>server which is called on login & supplies a token which is then held
>>within the session & is used as the dbid as the DB requires auditable
>>record keeping (e.g. who updated this & when).
>>
>>Adam
>
>
>

--- BBBS/NT v4.01 Flag-5