• Post Reply Bookmark Topic Watch Topic
  • New Topic

Confused on http session..

 
Grigory O. Ptashko
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello.

I am confused on http session management.
Say, we have an authentication based on http session.
User1 logs into a private zone and a session is started. Then, say, a User2 finds out jsessionid of User1 and types it in the query string. This way User2 sees User1's private zone! How to avoid this? Or do I get something wrong?

Thanks in advance.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The best way to avoid that is to use SSL.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How about saving the result of the getRemoteAddr method of ServletRequest when the user first enters in the session and checking for the same address on all subsequent entries?

Bill
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ben Souther:
The best way to avoid that is to use SSL.


If transport guarantee is used , then whether the JSESSIONID would be encrypted or. How will it prevent the possible misuse of session as said by the original poster?
 
Ashu Upadhyaya
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i dont think merely knowing jsessionid is enough for highjacking a session.
for example i opened a site in firefox & copy the jessionid & then tried to
open this site with copied jsessionid (on same machine) it did not work.

session is maintained at web-server which keeps track of client(browser)
so imo just getting hoid of jsessionid wont do.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!