I'm using JAVA and Wicket on JBOSS 5. I need to change JSESSIONID cookie value to get the same Session used in another client (setting the other client's JSESSIONID). I need that to authenticate the other client that has no keyboard). What is the best way?


If you really want to hack the JSESSIONID (<strong>which I don't recommend</strong>), you can do the following way:

    <li>Write a Servlet Filter</li> <li>In that filter write a wrapper for the HttpServletRequest (a new instance of this class must be passed to the chain.doFilter()) (let's call it RequestWrapper)</li> <li>In the RequestWrapper override the getSession(boolean) method</li> </ul>

    In the getSession(booelan) implementation you have to

      <li>Identify (and remember) the session you want to 'share' with the non-keyboard user (this should come first)</li> <li>Identify the situation when you want to make the 'change' (when with some kind of check you identify your non-keyboard user)</li> <li>When you have to 'change', you can return the remembered session from the getSession()</li> </ul>

      The key moment is: <strong>How do you identify your non-keyboard user?</strong> If you can't do it safely (from the current information you provided I cannot see it), it is a <strong>security hole</strong>.


      I recommend you to implement some kind of <strong>auto-login feature</strong> in your application. There are a number of possibilities for that (<strong>Client Certificate</strong>, or <strong>Single Sign-On</strong> with some other AA provider, even domain cookie).

      If you are trying to log in with another application, your options are <strong>HTTP Basic Authentication</strong>, Client Certificate, or simply posting the username/password to your login page (this one is not the safest, though).

      I prefer the <strong>Client Certificate</strong>, since that is the safest solution.

      人吐槽 人点赞



用户名: 密码:
验证码: 匿名发表


查看评论:JAVA Change JSESSIONID cookie