How to maintain session in java

Question

I know following are the ways to maintain or session tracking in java but looking for a good one

• URL rewritting
• Hidden form fields
• cookies
• Session object like setAttribitute() and session.getAttribute()

If the client browser has blocked accepting and storing cookies then last 2 ways are not valid.In hidden form fields I need to pass the hidden values in each and every page inside form.So suppose If I am just using response.sendRedirect() Then hidden form field is of not use.The remaining is URL rewriting in which I will pass JsessionID in the URl.So My question by knowing the sessionID isnt the unauthorized persons can able to access the pages. For example There are 3 pages login,register,send.So after login user can register and/or send.So if any one knows the sessionID cant he/she go direct to register/send page.If yes Please tell me how to prohibit this

Answer 1

As of Servlet 3.0 (Apache Tomcat 7 onwards) if you use SSL then you can configure your application to track sessions based on the SSL session ID. The downside is that everything has to be over SSL. The advantages are that the session is strongly tied to the SSL connection. Only the user that created the connection to the server that has the correct SSL session has access to the session. Even if an attacker knows the session ID, they can't access the session.

One word of caution, this form of session tracking is the least widely used so it may not have been as heavily tested as the more usual cookie and URL re-writing mechanisms.

Answer 2

Session tracking & authentication are two diff things don't club them.

Understanding your requirement I see you want to secure the sessionid of the user.

1. Evasdroping: If someone is listing to the request & response in the middle he can take the sessionid and use it. The best way would be to use a SSL. This ensures no one is listening in the middle.
2. Sessionid stolen from Client side: Normally this should be taken care by the browser and OS. So your user is as secure as the system he has.

Answer 3

Have a look at this link which outlines Best practices for using HTTP sessions

Including

• javax.servlet.http.HttpSession.invalidate()
• Use HTTPS

Answer 4

With standard solutions you can't.

You can add some measure of security by adding request originator IP address verification, but that's also fooled easily. (to clarify some here means very tiny itsy bitsy little bit of)

So the secure route is to not use URL Rewriting to maintain session in secure application.

However you may be able to get some security by keeping the JSessionID as a separate encrypted attribute that which will be decrypted by a middle-ware or a load balancing server sitting between the client and your application servers. This of course is just a thought, I haven't, fortunately ever had to try something like that out :-)