This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes Is there a workaround for getSession(String)? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Is there a workaround for getSession(String)?" Watch "Is there a workaround for getSession(String)?" New topic
Author

Is there a workaround for getSession(String)?

David King
Greenhorn

Joined: Apr 10, 2001
Posts: 8
Jakarta 4.0 provides a nice method from javax.servlet.http.HttpSessionContext called getSession(String) that takes the sessionID, but it has been deprecated for security reasons. I can see why. But, I still need to invalidate a session from another session. Any ideas?
I am writing a security piece for a web application that allows a user to login on another user's session and take it over. The other user is logged out and would have to log in again (hopefully under another id.)
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12761
    
    5
I think you are going to have to keep a separate list (maybe a HashMap) of sessions because, as you say, the servlet API no longer allows direct access. You could use one of the session listeners to catch the case in which the servlet engine invalidates a session.
Bill
David King
Greenhorn

Joined: Apr 10, 2001
Posts: 8
Thanks,
I found another design that does the trick. I persist the session id on a db. When the user logs out the system logs removes the session id from the db. Otherwise, if the session expires and listener removes that sessoin id from the db.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Is there a workaround for getSession(String)?
 
Similar Threads
request.getSesion(false) problem
Session Timeout Timer Reset
Please help! Servlet Timeout.
How many sessions/app - Timeout - question?
How to implement Session Tracking