Jakarta 4.0 provides a nice method from javax.servlet.http.HttpSessionContext called getSession(String) that takes the sessionID, but it has been deprecated for security reasons. I can see why. But, I still need to invalidate a session from another session. Any ideas? I am writing a security piece for a web application that allows a user to login on another user's session and take it over. The other user is logged out and would have to log in again (hopefully under another id.)
I think you are going to have to keep a separate list (maybe a HashMap) of sessions because, as you say, the servlet API no longer allows direct access. You could use one of the session listeners to catch the case in which the servlet engine invalidates a session. Bill
Thanks, I found another design that does the trick. I persist the session id on a db. When the user logs out the system logs removes the session id from the db. Otherwise, if the session expires and listener removes that sessoin id from the db.