I have a legacy servlet application running in Apache Tomcat. The app uses session to store some data between requests. Session data is stored with REDIS by session manager but cookie JSESSIONID is still used in session tracking.
I would like to integrate this app into microservice environment, where Bearer token authentication is used.
Is there a way to use a subj from token as session id instead of generated/passed via cookie value?
I found session id extraction in org.apache.catalina.connector.CoyoteAdapter#postParseRequest
// Look for session ID in cookies and SSL session
parseSessionCookiesId(request);
parseSessionSslId(request);
sessionID = request.getRequestedSessionId();
Related
Starting with the description of what is happening.
Say I have an API www.domain.com/login and once the user login it redirects to www.someOtherDomain.com and while redirecting the response sent to someOtherDomain has a set-cookie header, having a cookie with a domain (.domain.com). This cookie is for persisting the login session of the user on a domain (www.domain.com). But the cookie is not being set up and hence no login session is being created.
What I want to do:
I want to set the cookie on the same domain where the login page is hosted (here it would be www.domain.com) and then redirect to the someotherdomain.com.
additionals:
I am using org.springframework.web.servlet.view.RedirectView for redirection and for setting the cookie I am using HttpServletResponse response
How can this be achieved in java spring boot?
Is it secure to authenticate a user using the JSessionId that the client passes to the server ?
Assume that in a Spring app, we store the jsession id for a user that provided correct credentials while logging in, in a database and we authenticate each subsequent request based on that jsession id.
Does this method provide the same security level of using Java Web Tokens ?
JWT tokens are cryptographically signed so they are much more difficult to forge compared to session IDs.
Session IDs are generated using a secure random number generator which may be predicable depending on the implementation.
https://news.netcraft.com/archives/2003/01/01/security_advisory_2001011_predictable_session_ids.html
Some more information on why JWT is preferable over session IDs may be found here:
https://stormpath.com/blog/beginners-guide-jwts-in-java
I need to learn how a tomcat server identify different hosts to create unique sessions. Does it do it
according to Ip ?
Based on answer to this question, I want to be able to create multiple sessions for single client, on a server which uses simply httpServletRequest.getSession() to create new sessions. Is possible to give a predefined session Id to a server, so that that server creates that new session bound to that session Id ?
It doesn't do any identification. Each time a request comes in and you ask for a session to be created, it creates one. The generated session ID is sent to the browser in a cookie, and the browser sends back this cookie for all subsequent requests, which allows Tomcat to find the associated session.
I can't really understand what you're trying to achieve. A session doesn't identify a server. It identifies a specific client of a web app. Each client has its own session ID. Assigning a session ID to a server doesn't make much sense to me.
Turns out if you dont have any cookie, you are treated as a brand new user, and it gives you a new cookie. So not sending a cookie is enough to obtain another session Id.
i have a standalone application from which using the httpclient i'm communicating with the another web application for user authentication and set the user details in session in the web application and after returning to the standalone application i have some logic to run and afterwards i'm forwarding to the web application success page (here in the success page i am unable to retrieve the session where m getting the session object value null.. ) .
So how do i preserve the session ?
Sessions are only available at the web application and the client browser!
So you need to ask the admins or find a public API how to get it, because you can't reach it from a remote machine directly.
The clients just save the id of the session within a cookie, don't store data locally, everything what you need is on the web application's scope.
I am newbie to both Spring and Shiro. I have some questions on Session Management.
I saw a question which gives quite a good introduction to Session Management.
But what I did not understand is, how does Shiro communicate with the client to pass the session information, and how will the client authenticate itself again over the subsequent requests. Does Shiro pass a session ID automatically, without me having to code for it?
Does browser automatically store the session IDs and send it (may be over HTTPS) with subsequent requests?
How does the session logout communicated to the client? And how does the client understand that it has to login again?
Thanks!
The session ID is stored as a browser cookie.
The session ID cookie is
removed from the browser when the user logs out (and the session is invalidated on
the server). Requests made after the cookie is dropped will appear
to Shiro to be coming from an anonymous user, so Shiro will redirect the browser to a login page if they try to request a URL that requires you to be logged in.