I am writing an additional service for a website, which utilises the existing login

Question

0

Asked: May 27, 20262026-05-27T22:43:24+00:00 2026-05-27T22:43:24+00:00

I am writing an additional service for a website, which utilises the existing login

0

I am writing an additional service for a website, which utilises the existing login behaviour, while requiring some additional signup details from the user. The new service runs in a different subdomain.

The user will be able to create resources on my data web app, which must be saved against that user’s data collection.

I expect that this user identifier will be passed to the webapp in the body of the http request. However, I am concerned that a malicious attack could rewrite the user name in the body to make requests appear as if from another user.

What can I do to make this safer? (And does this count as a CSRF attack?)

The new service is written in Java, with Spring 3.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-27T22:43:25+00:00

Editorial Team

2026-05-27T22:43:25+00:00Added an answer on May 27, 2026 at 10:43 pm

You can never ensure an http request comes from a specific user, you can only attempt to validate a user and a request. Usually this is done by creating a ticket during the login or authentication process, then requiring that ticket on subsequent requests. You can then match the ticket with the user and accept that as valid. The ticket expires after a period of inactivity, requiring the user to login again.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am writing an additional service for a website, which utilises the existing login

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply