Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Is there a workaround for getSession(String)?

 
David King
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jakarta 4.0 provides a nice method from javax.servlet.http.HttpSessionContext called getSession(String) that takes the sessionID, but it has been deprecated for security reasons. I can see why. But, I still need to invalidate a session from another session. Any ideas?
I am writing a security piece for a web application that allows a user to login on another user's session and take it over. The other user is logged out and would have to log in again (hopefully under another id.)
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13061
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think you are going to have to keep a separate list (maybe a HashMap) of sessions because, as you say, the servlet API no longer allows direct access. You could use one of the session listeners to catch the case in which the servlet engine invalidates a session.
Bill
 
David King
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks,
I found another design that does the trick. I persist the session id on a db. When the user logs out the system logs removes the session id from the db. Otherwise, if the session expires and listener removes that sessoin id from the db.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic