Reputation: 2233
How is a sessionID generated?
When running a java web application with the servlet api (like JSF or JSP pages), somewhere along the line a 'unique' SessionID is generated to identify the user's session.
I'm wondering how these sessionID's are generated. Do they include the IP of the client? A timestamp? Random numbers?
Secondly, I'm wondering where this generation happens? Is this dependent on the server that runs the application?
Upvotes: 14
Views: 37666
Answers (5)
Reputation: 1
Try this following code:
HttpSession session = request.getSession();
String sessionid = session.getId();
sessionid = sessionid.substring((sessionid.length() - 23), sessionid.length());
Upvotes: -2
Reputation: 7
Here is complete code of you Question
Create login.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="US-ASCII">
<title>Login Page</title>
<h1>Please login to continue</h1>
</head>
<body>
<form action="LoginServlet" method="post">
User Name: <input type="text" name="username">
<br>
Password: <input type="password" name="pwd">
<br><br>
<input type="submit" value="Login">
</form>
</body>
</html>
Create LoginServlet
package com.self.sessionid;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.CookieStore;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
@WebServlet("/LoginServlet")
public class LoginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
private final String username = "admin";
private final String password = "password";
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("pwd");
System.out.println("%%%%%");
if(this.username.equals(username) && this.password.equals(password)) {
HttpSession oldSession = request.getSession(false);
if(oldSession != null) {
oldSession.invalidate();
}
HttpSession newSession = request.getSession(true);
newSession.setMaxInactiveInterval(1*60);
Cookie message = new Cookie("message", "welcome");
response.addCookie(message);
String messag = null;
String sessionID = null;
Cookie[] cookies = request.getCookies();
if(cookies != null){
for(Cookie cookie : cookies){
if(cookie.getName().equals("message")) messag = cookie.getValue();
if(cookie.getName().equals("JSESSIONID")) sessionID = cookie.getValue();
}
}
System.out.println("message : " + messag);
System.out.println("Session Id : " + sessionID);
/* response.sendRedirect("/loginSuccess.jsp"); */
RequestDispatcher rd = getServletContext().getRequestDispatcher("/loginSuccess.jsp");
rd.include(request, response);
} else {
RequestDispatcher rd = getServletContext().getRequestDispatcher("/login.jsp");
PrintWriter out = response.getWriter();
out.println("<font color=red>Either username or password is wrong.</font>");
rd.include(request, response);
}
}
}
Create loginSuccess.jsp file in WebComponent
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<%-- <%
String message = null;
String sessionID = null;
Cookie[] cookies = request.getCookies();
if(cookies != null){
for(Cookie cookie : cookies){
if(cookie.getName().equals("message")) message = cookie.getValue();
if(cookie.getName().equals("JSESSIONID")) sessionID = cookie.getValue();
}
}
%> --%>
<h3>Login Success</h3>
<%-- <h4><%=message%></h4>
<h4>Session ID = <%=sessionID %></h4>
--%> <br><br>
<h1>Welcome</h1>
<form action="LogoutServlet" method="post">
<input type="submit" value="Logout" >
</form>
</body>
</html>
Create LogoutServlet
package com.self.sessionid;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
* Servlet implementation class LogoutServlet
*/
@WebServlet("/LogoutServlet")
public class LogoutServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession(false);
if(session != null){
session.invalidate();
}
response.sendRedirect(request.getContextPath() + "/login.jsp");
}
}
Upvotes: -2
Reputation: 258
A java.security.MessageDigest algorithm is normally used.
Usually the generated ID is just a set of random numbers, up until the required length, but it varies according to the algorithms used in the various servlet containers.
In Tomcat6, for example, have a look at:
ManagerBase.sessionIdLength
and
ManagerBase.createSession() //which calls generateSessionId()
See http://www.docjar.com/html/api/org/apache/catalina/session/ManagerBase.java.html
Upvotes: 4
Reputation: 24396
It is container specific. Tomcat: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Manager
Upvotes: 8
Reputation: 105
"The identifier is assigned by the servlet container and is implementation dependent."
The jsessionid is generated whenever a new session is created.
Upvotes: 4
Related Questions
- Which one is responsible for the generation of http session ID? The client browser, the server, or both?
- How session gets create in JSP?
- How does a tomcat server identify clients for creating session id
- Pre-login session id?
- set custom session id java (apache tomcat)
- Tomcat Unique SessionId
- How can i create a session object using session id?
- Custom ID in session handling by Java Servlet API
- java session id structure from HttpServletRequest
- Apache Tomcat (6.x) SessionID placement