Meaningless Drivel is fun!*
The moose likes Servlets and the fly likes How to identify a session? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to identify a session?" Watch "How to identify a session?" New topic
Author

How to identify a session?

Tim Lincecum
Greenhorn

Joined: Aug 30, 2002
Posts: 5
hi all!
I know every session has a unique sessionID
If I keep all userID-sessionID record in my web app.
my question is, when I want to "force" an user to logout,
how do I use sessionID to find that session and kill it??
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

You used to be able to do this using the HttpSessionContext
http://java.sun.com/j2ee/sdk_1.2.1/techdocs/api/javax/servlet/http/HttpSessionContext.html
but as you can see this has been removed for security reasons.
Deprecated As of Java(tm) Servlet API 2.1 for security reasons, with no replacement. This interface will be removed in a future version of this API.

The problem is that application contexts can talk to each other. If you can reach from one web app to another, get the thing that holds some elses session, you can then get and set data on it.
Initially it might sound useful and like a good idea, but consider the case where you (personally) don't control all the app on a server...
If you want to log someone out from the server side, set a session timeout and use a registered HttpSessionBindingEvent to detect when the session times out. Manually maintaining the user and session data is dangerous!
Dave
 
Don't get me started about those stupid light bulbs.
 
subject: How to identify a session?
 
Similar Threads
how to invalidate a session from another computer by using ip/MAC sessionid
Session persist when server shuts down?
how to kill session in transportsession scope of axis2?
killing a session based on sessionId
How to know the sessionID is alive ?