[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


JSP Session Security !

Posted on 2004-10-24
Medium Priority
Last Modified: 2012-06-27
Dear Friends,

I would like to ask the JSP Session Security.

I using the Session to manage the User Infomation after User Login.
There are 3 files. loginform.jsp > checkdata.jsp > userpage.jsp

1. loginform.jsp
<FORM METHOD=POST ACTION="checkdata.jsp">
What's your name? <INPUT TYPE=TEXT NAME=username SIZE=20>
What's your name? <INPUT TYPE=password NAME=password SIZE=20>

2. checkdata.jsp
//do for check database is user ok .......... then put the user information to session.
   String name = request.getParameter( "username" );
   session.setAttribute( "theName", name );
<A HREF="userpage.jsp">Login Sucess , Please click to use your service</A>

3. userpage.jsp
Hello, <%= session.getId() %><%= session.getAttribute("theName") %>

That is ok for user A login, no problem.

****** But I can use another computer from another place to use the link can also access the user A's userpage.jsp by no need password

It is not Security by using session to hold User information, What can i do.?
Question by:samneed
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 13

Expert Comment

ID: 12392163
And how the other computer will get the session ID?

LVL 13

Expert Comment

ID: 12392178
I also want to add that this is called URL rewriting, for the client browers that have cookies disabled to be able to support sessions

If u don't want this feature (URL rewriting) please refer to ur application server to see if u can disable it, but if u disabled it users with disables cookies browers will not be able to access ur Web application

Author Comment

ID: 12392191
Hi petmagdy,

jsessionid=F81678782CF7A8892EC1A4353C07D6F3 maybe someone using programming always to check which jsessionid is valid ^O^

I am using Tomcat 5.0.28 standalone.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 13

Expert Comment

ID: 12392223
Programmer can do any thing if he has access to tomcat File System and administration, in order for the programmer to eve drop over sessions he must be allowed to put his code on the server, this should be never allowed on production for non autherized

to make sure that session is depending on cookies u must set cookies to true as in this URL:


but their is no way to disable URL rewritting

Author Comment

ID: 12392409

If no way to disable URL rewritting.

I would like to ask any method to protect this , how another web server like bank web site to hold User Information after they login?

LVL 13

Expert Comment

ID: 12392513
samneed you are assuming a problem that dosn't exists because of the following:

1- jsessionid=F81678782CF7A8892EC1A4353C07D6F3 is the session id but encrypted, and actually the cookie stores the same value and u can get it too if u browse ur browser cookies so if their is a problem it is in the cookie too!! Because u r as a human user u logged in and then saw this jsessionid value u was able to get what u want

2- to hack using code u need to get the real session id not the encrypted one u see in the URL rewrite

3- If some one can monitor the HTTP traffic (and this is possible) he will get the password u supply in ur form tooo!!

and why u can't do this for a Bank application because of the following:

1- U can't access the Bank application server
2- The bank network and application server is protected by security firwalls
3- The Bank application will use SSL to encrypt the HTTP traffic (it becomes HTTPS), even if u spyed on the HTTP traffic u will get nothing but encrypted rubish

don't worry use sessions as it is if u will develop a banking application :)


Author Comment

ID: 12392847
Thanks petmagdy!

1. jsessionid=F81678782CF7A8892EC1A4353C07D6F3 is possible to get the session information. it is exist ^O^

2. what is "real session id" and "encrypted one" URL rewrite?

3. I don't konw SSL enough, is https://www.abcdomainex.com/userpage.jsp;jsessionid=F81678782CF7A8892EC1A4353C07D6F3 is can't access from another computer?
LVL 13

Accepted Solution

petmagdy earned 2000 total points
ID: 12392936
Sameed u need to understand something first, Internet security is about protecting ur private information from somebody else to get it but not to protect ur private information from u!! So it protects some bady else from seeing ur password and same goes about the jsessionid value but you only knows ur password and u only knows the jsessionid

1- Because u urself logged in to ur application u saw jsessionid=F81678782CF7A8892EC1A4353C07D6F3 and in the same way u can browse ur cookiers to get this value too

2- the real session id is the one returned by HttpSession.getId() the encrypted is jsessionid=F81678782CF7A8892EC1A4353C07D6F3

3- The objective Of SSL is to encrypt the communication between u on ur browser and the Web Server, so no body expect u can get the jsessionid

So as an answer for ur question u and only u who can go to another computer and access:

4- the Session expires after a configurable period u specify in the web.xml, after this period the jsessionid become invalid

I hope I answered u :)

Author Comment

ID: 12393110
Many Thanks Petmagdy ^O^ !

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question