I'm using JAVA and Wicket on JBOSS 5. I need to change JSESSIONID cookie value to get the same Session used in another client (setting the other client's JSESSIONID). I need that to authenticate the other client that has no keyboard). What is the best way?
If you really want to hack the
JSESSIONID (<strong>which I don't recommend</strong>), you can do the following way:
<li>Write a Servlet Filter</li>
<li>In that filter write a wrapper for the
HttpServletRequest(a new instance of this class must be passed to the
chain.doFilter()) (let's call it
RequestWrapper)</li> <li>In the
getSession(booelan) implementation you have to
<li>Identify (and remember) the session you want to 'share' with the non-keyboard user (this should come first)</li>
<li>Identify the situation when you want to make the 'change' (when with some kind of check you identify your non-keyboard user)</li>
<li>When you have to 'change', you can return the remembered session from the
The key moment is: <strong>How do you identify your non-keyboard user?</strong> If you can't do it safely (from the current information you provided I cannot see it), it is a <strong>security hole</strong>.
I recommend you to implement some kind of <strong>auto-login feature</strong> in your application. There are a number of possibilities for that (<strong>Client Certificate</strong>, or <strong>Single Sign-On</strong> with some other AA provider, even domain cookie).
If you are trying to log in with another application, your options are <strong>HTTP Basic Authentication</strong>, Client Certificate, or simply posting the username/password to your login page (this one is not the safest, though).
I prefer the <strong>Client Certificate</strong>, since that is the safest solution.