I want to set custom session id for my web application ,I have alogorithm to generate session id my web application should use that algo for generating session id.
please suggest me how cam i set my algorithm as session id generation in tomcat..
session Manager --> i tried this but it provide complete session behaviour modification control ,i just want to set session id as per my algo no session behaviour changes
Implementing com.sun.entrprises.uui.uuidgenerator ---> tried this also but not able to understand exactly how to do this
please suggest me simplest solution just to set my algo as session generation algorithm
Note: you might suggest not to do it but i needed it for my project
Extending org.apache.catalina.session.StandardManager should do what you want.
Do something like this:
public class MySessionManager extends StandardManager {
#Override
protected synchronized String generateSessionId() {
String sessionId = <Your session id generation algo>;
return sessionId;
}
}
After you have your session manager, follow this answer.
Related
I am implementing a redis-shiro session management feature in my project and currently I have very little information about Shiro & Redis.
I want to know whether calling the below will hit the redis database everytime to check whether any sessionId exist in the redis database or not.
Code in Service
Subject currentUser = SecurityUtils.getSubject();
Session session = currentUser.getSession();
Code in Controller:
public String getSomrthing(#CookieValue("JSESSIONID") String fooCookie){
callingSomeServiceMethod(fooCookie);
return "It does not matter";
}
Does we have to match the sessionId manually like below in our service or does Shiro will match it automatically, since my application will be running in a multi instance environment.?
Subject currentUser = SecurityUtils.getSubject();
if(currentUser.getId.equals(fooCookie)){
//.....Some Code
//.....Some Code
}
The session will looked up a max of once per request, less depending on any additional caching you have configured.
You wouldn't manage/lookup the sessionId directly from your controller though. All of this logic would be transparent and handled by Shiro and/or your servlet container's session management.
As the title says. In PHP for example I can set the session id manually to handle the session with some logic based on it. I have generated hash code from some workflow and would like to set it as the session id. I know some implied this could be bad practice if not careful but as team member I was directed to look and try to do this task.
So could session ID set manually ?
Note that I mean the actual session ID not just the cookie named JSESSIOINID that being set on first request. I need the session as it is with only session id set manually.
Update: I'm using JBoss but I'd appreciate any generic answer or at the very least for JBoss EAP.
For Tomcat, you may be able to create a custom session manager (see this). You would then have access to the Tomcat Session object and could call setId(java.lang.String id).
No standardized way to it. Only custom way through the container's own API
We need a functionality of killing a specific session (by session ID) from some kind of an admin panel.
I attempted using the following approach:
public static void killSession(String sid) {
HttpSessionContext sc = FacesUtil.getSession().getSessionContext();
HttpSession session=sc.getSession(sid);
session.invalidate();
}
However
HttpSessionContext, and getSessionContext() and
getSession(sessionId) methods of a session are all deprecated (for seemingly paranoid security reasons)
The above code also gets a null session when invoked in an ApplicationScoped JSF managed bean
I'm seeking an alternative way of achieving the functionality.
Yes, you can't invalidate session from another session due to security reasons. What you can do is to manually store all sessions in some static attribute available to admin. So user logs in, you add him and his session to this attribute (usually a Map/HashMap with user as a key and session as value).
Look at my older answer here and you will get an idea.
How to get any http session by id or all currently active http sessions within web application (Java 2 EE) in an elegant way?
Currently I have a WebSessionListener and once session was created I put it in ConcurrentHashMap() (map.put(sessionId, sessionObj)), everything ok, I can retrieve HTTP session from that map in any time by session id, but it looks like the HttpSession objects will never finalize... Even session was invalidated the map still reference on invalidated session object... Also I have read this article and it looks like the WeakHashMap is not acceptable in my case...
In other words I need a possiblity to look in any HttpSession even get all currently active HttpSession and retrieve some attributes from there...
Please advice somebody :)
Update
I need to access HttpSession objects because of follwoing reason:
Sometimes user does some actions/requests that may impact the work of another concurrent user, for example admin should disable user account but this user currently working with the system, in this case I need to show a message to admin e.g. "user XXX is currently working with the system" hence I need to check if any HttpSession which holds credentials of user XXX already exists and active. So this is whay I need such possibility to get any http session or even all sessions.
My current implementation is: SessionManager which knows about all sessions (ConcurrentMap) and HttpSessionListener which put/remove session into SessionManager.
I was concerned about memory issues that may occure and I wanted to discusse this with someone, but currently I am clearly see that everything should works fine because all invalidated session will be removed from map when sessionDestroyed() method will be called...
Many thanks for your replays, but now I understood that problem was just imagination :)
As per your clarification:
Sometimes user does some actions/requests that may impact the work of another concurrent user, for example admin should disable user account but this user currently working with the system, in this case I need to show a message to admin e.g. "user XXX is currently working with the system" hence I need to check if any HttpSession which holds credentials of user XXX already exists and active. So this is whay I need such possibility to get any http session or even all sessions.
For this you actually don't need to know anything about the sessions. You just need to know which users are logged in. For that you can perfectly let the model object representing the logged in user implement HttpSessionBindingListener. I of course assume that you're following the normal idiom to login/logout user by setting/removing the User model as a session attribute.
public class User implements HttpSessionBindingListener {
#Override
public void valueBound(HttpSessionBindingEvent event) {
Set<User> logins = (Set<User>) event.getSession().getServletContext().getAttribute("logins");
logins.add(this);
}
#Override
public void valueUnbound(HttpSessionBindingEvent event) {
Set<User> logins = (Set<User>) event.getSession().getServletContext().getAttribute("logins");
logins.remove(this);
}
// #Override equals() and hashCode() as well!
}
Then somewhere in your admin app, just obtain the logins from ServletContext:
Set<User> logins = (Set<User>) servletContext.getAttribute("logins");
Generally speaking, your servlet container will have its own session manager, which is responsible both for maintaining the lifecycle of the sessions, and associating incoming requests with the appropriate session (via cookies, anchor parameters, whatever strategy it wants).
The elegant way to do this would be to hook into this session manager in whatever way it allows. You could subclass the default one, for example, to allow you to get access to arbitrary sessions.
However, it sounds like what you're doing belies an underlying problem with your architecture. The data contained within a session should be specific to that session, so in general you shouldn't need to look up an arbitrary one in order to provide the standard logic of your web application. And administrative/housekeeping tasks are usually handled for you by the container - so again, you shouldn't need to interfere with this.
If you gave an indication of why you want access to arbitrary sessions, chances are that an alternative approach is more suited to your goals.
Andrzej Doyle is very right. But if you really, really want to manage your own list of sessions, then the way to connect to your container is via the HttpSessionListener - example code.
The listener is called whenever a new session is created, and importantly, it's also called when a session is destroyed; this will allow you to mimic the container's session bookkeeping.
You use your web.xml to register your session listener as a lifecycle listener for your your app.
You can communicate your session list with other processes in the container using the ServletContext, or you can cook up a more dirty scheme using e.g. static class fields.
I'm maintaining a Java web application.
Looking into the login code it gets an HttpSession out of HttpServletRequest via the getSession() method of HttpServletRequest. (It uses some values in the session for authentication purposes)
However I'm worried about session fixation attacks so after I have used the initial session I want to either start a new session or change the session id. Is this possible?
The Servlet 3.0 API doesn't allow you to change the session id on an existing session. Typically, to protect against session fixation, you'll want to just create a new one and invalidate the old one as well.
You can invalidate a session like this
request.getSession(false).invalidate();
and then create a new session with
getSession(true) (getSession() should work too)
Obviously, if you have an data in the session that you want to persist, you'll need to copy it from the first session to the second session.
Note, for session fixation protection, it's commonly considered okay to just do this on the authentication request. But a higher level of security involves a tossing the old session and making a new session for each and every request.
Since Java EE 7 and Servlet API 3.1 (Tomcat 8) you can use HttpServletRequest.changeSessionId() to achieve such behaviour. There is also a listener HttpSessionIdListener which will be invoked after each change.