CODEWITHSUNDEEP
javasessionjsfjakarta-eejsf-2
AngelsandDemons
AngelsandDemons

Reputation: 2843

Generating Own Session Id in JSF

I have a web application in which we use JSF framework. I have been diving deep into the security part for web application and hence I was looking to generate my own unique session ID(using encryption algorithm and assign it to every new session which gets created once user logs in.

Can anyone please guide me on how to set manual generated session id in session and ensure with each request that session id is transmitted.

Thanks.

Upvotes: 0

Views: 2472

Answers (2)

JB Nizet
JB Nizet

Reputation: 691635

I really doubt you'll generate session IDs that are more secure than the ones generated by the container, but here's what you could do, without using any container-specific extension.

Create a servlet filter which intercept every request to the server.

When a request comes in, check if a session already exists for this request (using getSession(false)). If one exists, then extract your specific cookie MY_SESSION_ID from the request, and compare its value to the one that is stored in the session. If they don't match, reject the request.

If the session doesn't exist, then create it (using getSession(true)), generate your super-secure session ID, store it as a session attribute and add the cookie MY_SESSION_ID to the response.

This has the disadvantage of creating a session automatically, even if it's not strictly needed. But that's the case most of the time when using JSPs of component frameworks.

Upvotes: 2

McDowell
McDowell

Reputation: 108859

Attempting to do this at the JSF application layer is unlikely to be successful; I would perform this task at a lower level API. I am assuming a servlet container.

I can think of two approaches:

  1. do this at a container level via a server-specific SPI (if one even exists)
  2. do this by rewriting requests/responses via a servlet Filter

There is insufficient information to comment on the viability of the first approach.

In the second, you would have to determine the name of the session cookie (it is usually JSESSIONID, but does not have to be). Your API would:

  1. map the filter to all application requests
  2. maintain a map of container session ids to "secure" ids
  3. use the filter to rewrite any session cookie in the request with the session id
  4. use the filter rewrite any session cookie in the response with the secure id
  5. use a listener to remove invalid sessions from the map to avoid memory leaks

Upvotes: 1

Related Questions