This week's book giveaway is in the General Computing forum.
We're giving away four copies of Arduino in Action and have Martin Evans, Joshua Noble, and Jordan Hochenbaum on-line!
See this thread for details.
The moose likes Servlets and the fly likes Confused on http session.. Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of Arduino in Action this week in the General Computing forum!

A special promo: Enter your blog post or vote on a blogger to be featured in an upcoming Journal
JavaRanch » Java Forums » Java » Servlets
Reply Bookmark "Confused on http session.." Watch "Confused on http session.." New topic
Author

Confused on http session..

Grigory O. Ptashko
Greenhorn

Joined: Jan 26, 2006
Posts: 16
posted private message
0
Quote
Hello.

I am confused on http session management.
Say, we have an authentication based on http session.
User1 logs into a private zone and a session is started. Then, say, a User2 finds out jsessionid of User1 and types it in the query string. This way User2 sees User1's private zone! How to avoid this? Or do I get something wrong?

Thanks in advance.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

I like...
Firefox Browser Redhat VI Editor
posted private message
0
Quote
The best way to avoid that is to use SSL.

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12327
    
    1
posted private message
0
Quote
How about saving the result of the getRemoteAddr method of ServletRequest when the user first enters in the session and checking for the same address on all subsequent entries?

Bill

Java Resources at www.wbrogden.com
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2300
posted private message
0
Quote
Originally posted by Ben Souther:
The best way to avoid that is to use SSL.


If transport guarantee is used , then whether the JSESSIONID would be encrypted or. How will it prevent the possible misuse of session as said by the original poster?

Rahul Bhattacharjee
LinkedIn - Blog
Ashu Upadhyaya
Greenhorn

Joined: Sep 27, 2005
Posts: 19
posted private message
0
Quote
i dont think merely knowing jsessionid is enough for highjacking a session.
for example i opened a site in firefox & copy the jessionid & then tried to
open this site with copied jsessionid (on same machine) it did not work.

session is maintained at web-server which keeps track of client(browser)
so imo just getting hoid of jsessionid wont do.
 
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to run our stuff on 16 servers instead of 3.
 
subject: Confused on http session..
 
Similar Threads
More than one web-application under the same root directory
Curious Question relating username and password...
More than one web-application under the same root directory
struts2 multiple object modeldriven
IE6 refresh question