17840

JAVA Change JSESSIONID cookie

I'm using JAVA and Wicket on JBOSS 5. I need to change JSESSIONID cookie value to get the same Session used in another client (setting the other client's JSESSIONID). I need that to authenticate the other client that has no keyboard). What is the best way?

Answer1:

If you really want to hack the JSESSIONID (<strong>which I don't recommend</strong>), you can do the following way:

    <li>Write a Servlet Filter</li> <li>In that filter write a wrapper for the HttpServletRequest (a new instance of this class must be passed to the chain.doFilter()) (let's call it RequestWrapper)</li> <li>In the RequestWrapper override the getSession(boolean) method</li> </ul>

    In the getSession(booelan) implementation you have to

      <li>Identify (and remember) the session you want to 'share' with the non-keyboard user (this should come first)</li> <li>Identify the situation when you want to make the 'change' (when with some kind of check you identify your non-keyboard user)</li> <li>When you have to 'change', you can return the remembered session from the getSession()</li> </ul>

      The key moment is: <strong>How do you identify your non-keyboard user?</strong> If you can't do it safely (from the current information you provided I cannot see it), it is a <strong>security hole</strong>.

      Answer2:

      I recommend you to implement some kind of <strong>auto-login feature</strong> in your application. There are a number of possibilities for that (<strong>Client Certificate</strong>, or <strong>Single Sign-On</strong> with some other AA provider, even domain cookie).

      If you are trying to log in with another application, your options are <strong>HTTP Basic Authentication</strong>, Client Certificate, or simply posting the username/password to your login page (this one is not the safest, though).

      I prefer the <strong>Client Certificate</strong>, since that is the safest solution.

Recommend

  • Conditional IO action
  • Primary key with ASC or DESC ordering?
  • Cannot call sendRedirect() after the response has been committed [duplicate]
  • extending httpservlet on google app engine leaks requests
  • Cannot get Servlet to process request content as UTF-8
  • Spring 3.1 MVC - Getting character encoding error while using @ResponseBody annotation
  • JSF ServletFilter Restriction on index page when logged in
  • Selectively Binding a Property in Spring MVC
  • Getting NPE while receiving the reply message using RabbitTemplate
  • How to determine Content Type of a HTTP Servlet Request?
  • JAVA Change JSESSIONID cookie
  • Spring Boot : Handler dispatch failed; nested exception is java.lang.NoSuchMethodError
  • Maven compile fails silently - Unresolved compilation problems
  • How to get username after login with FORM based authentication
  • Max file size with resteasy and multipart/form-data request
  • How to inject property to interceptor in Spring MVC
  • Apache HttpClient able to communicate over HTTPS when DIRECT but not via PROXY error: javax.net.ssl.
  • Spring 3 Collection Binding
  • Cannot send ajax post request to Servlet
  • SpringSession DefaultCookieSerializer.setJvmRoute works, but HttpServletRequest does not have the jv
  • AJAX returns 404 in Spring MVC
  • Spring exception handler outside controller
  • array from php to JavaScript
  • The API package 'channel' or call 'CreateChannel()' was not found
  • Session management in GWT client side
  • How to silently drop a request in Tomcat?
  • Simplest way to use a variable in the URL in servlets
  • Exception “firebase.functions() takes … no argument …” when specifying a region for a Cloud Function
  • Highlight one bar in a series in highcharts?
  • Update CALayer sublayers immediately
  • JFileChooser in front of fullscreen Swing application
  • Calling of Constructors in a Java
  • PHP: When would you need the self:: keyword?
  • Load html files in TinyMce
  • Change div Background jquery
  • How does Linux kernel interrupt the application?
  • unknown Exception android
  • Busy indicator not showing up in wpf window [duplicate]
  • failed to connect to specific WiFi in android programmatically
  • Why do underscore prefixed variables exist?