• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Devaka Cooray
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Tim Holloway
  • Claude Moore
  • Stephan van Hulst
Bartenders:
  • Winston Gutkowski
  • Carey Brown
  • Frits Walraven

HttpSession Internal Working  RSS feed

 
Ranch Hand
Posts: 387
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am reading the HttpSession concepts. I have few queries regarding this:

1. How does HttpSession works internally?

2. Does it always use cookies or some other mechanism as well?

3. If cookies are not supported by the client, then won't it work at all?

4. Can someone hijack the cookies and use them to impersonate the user/
 
Ranch Hand
Posts: 277
2
Fedora Netbeans IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you sure this isn't your homework?  I find it hard to believe you are thinking up all these diverse questions so quickly. Maybe they're from a book or your teacher? FESS UP.
 
Vaibhav Gargs
Ranch Hand
Posts: 387
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Al Hobbs wrote:Are you sure this isn't your homework?  I find it hard to believe you are thinking up all these diverse questions so quickly. Maybe they're from a book or your teacher? FESS UP.



Yes, this is not my home work. I am a working professional and have some experience in J2EE apps . But never thought about it deeply. Now was going through the token authentication so just wondering the difference  between cookies and tokens and their internals.
 
Al Hobbs
Ranch Hand
Posts: 277
2
Fedora Netbeans IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This question isn't even about cookies and tokens.  It's about Httpsession.  Where did you get these questions from then?
 
Vaibhav Gargs
Ranch Hand
Posts: 387
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Al Hobbs wrote:This question isn't even about cookies and tokens.  It's about Httpsession.  Where did you get these questions from then?




I believe that session id is stored as cookie on client machine.
 
Saloon Keeper
Posts: 20510
115
Android Eclipse IDE Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
HttpSession is an interface for a server-specific object. It resides on the server and never on the client. The server creates an HttpSession object when the user requests a session with create option or logs in via JEE standard security. The server keeps all HttpSession objects in a Map, although the session data can be serialized in order to pass it to another server (in the case of clustered servers) or written to persistent storage if there's a need to free up RAM. It is this that mandates that all session-scope objects must be Serializable.

The session hash key can be transferred to and from the client in one of 2 ways:

1. As an appendage to a URL. For example, "https://coderanch.com/foo/bar;jsessionid=Aa1234BCDE"

2. As a cookie with name "jsessionid".

Cookies are safer, since if you forget to build a link with jsessionid attached or users type in a raw URL without jsessionid, it's easy to lose contact with the session. However in many parts of the world, cookies cannot be used freely so URL rewriting (to add the jsessionid) is the only other option. And it your client doesn't have cookie support, you have to use URL rewriting.

Java has HTTP APIs that handle cookies automatically, which makes it more convenient to write web client applications using cookies, both jsessionid and user-defined cookies.

The actual value of jsessionid is basically randomly-generated data and its only value is for the server to locate the actual HttpSession in its Map. In fact, the server can and will change jsessionid values without warning for various reasons, so you should never attempt to cache it or work with it directly. Which is the answer to your 4th question. Yes, it's possible to hijack a jsessionid and preventing that from happening while in a secure session is one reason why jsessionid's value can be changed by the server.

 
Saloon Keeper
Posts: 9857
199
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Al Hobbs wrote:This question isn't even about cookies and tokens.  It's about Httpsession.  Where did you get these questions from then?


Sessions are mostly implemented through cookies containing session tokens.
 
Anderson gave himself the promotion. So I gave myself this tiny ad:
Become a Java guru with IntelliJ IDEA
https://www.jetbrains.com/idea/
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!