hacker can inject VaadinSession from browser or any tool ?

Below is my code to set data to VaadinSession:

UI.getCurrent().getUI().ifPresent(ui -> { ui.getSession().setAttribute("MyKey", "MyValue");});

My question that from browser or any tool, is hacker able to inject some values into my current UI (VaadinSession). So they can change “MyKey” to other value ?

And let say MyValue is a string. how max for length of the MyValue that I can put to that Attribute ?


Sure if you allow user input into that field. Otherwise it’s pretty hard to find your server location, go on prem, physically access the server and change the value in memory without getting caught

ok, so you mean only way to do that to change the value in the memory on real time ?

because i will get this MyKey somewhere, so i want to ensure that it cannot be hacked from outside :laughing:

var myKeySession = UI.getCurrent().getSession().getAttribute("MyKey");

Session is just a wrapper to the HTTPSession which is a servlet / container class - you would question the whole integrity of the jakarta servlet spec if that would be changeable from outside :sweat_smile:

nice, then we can break the world haha

length of MyValue is 128 chars for now ?

That’s not a length to worry about :sweat_smile: