Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time.
Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information.
HttpSession
attribute can damage application reliability.HttpSession
object across multiple JVMs so that if one JVM becomes unavailable another can step in and take its place without disrupting the flow of the application.Serializable
interface.
public class DataGlob {
String globName;
String globValue;
public void addToSession(HttpSession session) {
session.setAttribute("glob", this);
}
}
jti
claim provides a unique identifier for the JWT. It can be used to prevent the JWT from being replayed. The application "signs out" the user from all devices by deleting all JWTs in the backend store associated with that user. In addition, the developer should use exp
(expiration time) to expire the JWT.refresh_tokens
to web application clients and native application clients without verifying client_id
and client_secret
might be susceptible to impersonation attacks.client_id
and client_secret
when refreshing the access_token
are susceptible to impersonation and unauthorized access attacks. Authorization servers might issue refresh tokens to web application clients and native application clients. The authorization server must verify the binding between the refresh token and client identity whenever the client identity can be authenticated. When client authentication is not possible, the authorization server should deploy other means to detect refresh token abuse such as redirecting the user to repeat the authorization process after an expiration date is reached.state
parameter value with sufficient entropy are susceptible to a CSRF vulnerability.state
parameter value with sufficient entropy are susceptible to a CSRF vulnerability that might give an attacker the ability to login to the victim's current application account using a third-party account without any restrictions.state
parameter value is predictable. An attacker can perform a normal OAuth2 process and get the redirection URL that contains the authorization code for the third-party. The attacker can bind their own account to the victim's account for the vulnerable application by enticing a victim to access this URL. If the state
parameter is set in the redirection URL but without sufficient entropy, then an attacker can predict the user's state
parameter and forge a reliable redirection URL to persuade the victim to access and then implement a CSRF attack. block.timestamp
or block.number
as a proxy for time.block.timestamp
or block.number
are often used by developers to trigger time-dependent events, however, these values often give a sense of time that is generally not safe to use.block.timestamp
is unreliable at best, and at worst, malicious miners can alter the timestamp of their blocks if they see an advantage to do so.block.number
, even though it is possible to predict the time between blocks (approximately 14 seconds), block times are not constant and can vary depending on network activity. This makes block.number
unreliable for time-related calculations.block.number
to unlock funds after a certain period of time.
function withdraw() public {
require(users[msg.sender].amount > 0, 'no amount locked');
require(block.number >= users[msg.sender].unlockBlock, 'lock period not over');
uint amount = users[msg.sender].amount;
users[msg.sender].amount = 0;
(bool success, ) = msg.sender.call.value(amount)("");
require(success, 'transfer failed');
}