tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: set SessionID (PLEASE HELP)
Date Wed, 31 Oct 2001 17:39:31 GMT
There is no mechanism in the servlet API that lets you do what you are
describing.  However, you could fairly easily set up your own "fake"
sessions that behave sort of like servlet sessions for this purpose, and
assign your own identifiers independent of the session identifiers created
by the servlet container.

Note that, even if you do all of this, you are not really hiding anything
from anybody.  The "encoded" version of your session ID is still visible
to anyone snooping on the network, and it can be used to spoof the server
in exactly the same way that the standard session id could.

If you're trying to improve the security of your session identifiers, I
suggest you forget about this approach and just use SSL connections.  That
is what they are for.

Craig McClanahan


On Wed, 31 Oct 2001, Michael wrote:

> Date: Wed, 31 Oct 2001 15:37:15 +0100
> From: Michael <tomcat@meinsenf.at>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Cc: Yoav Shapira <shapira@mpi.com>
> Subject: Re: set SessionID (PLEASE HELP)
>
> hi,
>
> I don't want to generate my own unique sessionID, but:
> I get the sessionID from getSession(), then I don't want to use cookies nor rewriteURL()!!!
> I want to hide the sessionID in an encoded GET-variable and do a request like:
>
> 1st request:
> getSession().getID() -> 1234567
> encode 1234567 to abcdefg
> new link to a servlet: http://localhost/myServlet?MySessionID=abcdefg
>
> 2nd request:
> when I process the incoming request, I decode "abcdefg" to 1234567
> set 1234567 to the request's sessionID <--- this is what I want!!!!
>
> now "HttpSession session=req.getSession()" would work like having the sessionID sent
via a cookie!
>
> any idea???
> thanks
> michi
>
>
> >Howdy,
> >The sessionID is an internal identifier assigned and used by the
> >web server (typically).  Maybe you want to consider using your own
> >session variable with a different name, that you can assign and control
> >manually?  It would be your responsibility to guarantee uniqueness,
> >but that's usually not a big hassle, and the flexibility is worth it.
> >
> >Yoav
> >
> >tomcat@meinsenf.at wrote:
> >> Hi,
> >>
> >> I have to set the sessionID manually - how to do it???
> >> I want to extract the sessionID from an encoded POST- or GET-variable, and
> >> want my session to bind to it!!!
> >>
> >> thanks
> >> michi
> >>
> >>   ------------------------------------------------------------------------
> >> --
> >> To unsubscribe, e-mail:
> >> <mailto:tomcat-user-unsubscribe@jakarta.apache.org> For additional
> >> commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> >
> >--
> >To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> >For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> >


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message