This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Servlets and the fly likes Is there a workaround for getSession(String)? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Is there a workaround for getSession(String)?" Watch "Is there a workaround for getSession(String)?" New topic
Author

Is there a workaround for getSession(String)?

David King
Greenhorn

Joined: Apr 10, 2001
Posts: 8
Jakarta 4.0 provides a nice method from javax.servlet.http.HttpSessionContext called getSession(String) that takes the sessionID, but it has been deprecated for security reasons. I can see why. But, I still need to invalidate a session from another session. Any ideas?
I am writing a security piece for a web application that allows a user to login on another user's session and take it over. The other user is logged out and would have to log in again (hopefully under another id.)
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
I think you are going to have to keep a separate list (maybe a HashMap) of sessions because, as you say, the servlet API no longer allows direct access. You could use one of the session listeners to catch the case in which the servlet engine invalidates a session.
Bill
David King
Greenhorn

Joined: Apr 10, 2001
Posts: 8
Thanks,
I found another design that does the trick. I persist the session id on a db. When the user logs out the system logs removes the session id from the db. Otherwise, if the session expires and listener removes that sessoin id from the db.
 
 
subject: Is there a workaround for getSession(String)?