Where is JSESSIONID stored? (JavaEE)

Question

I have two applications - A Java EE web application and a Java SE applet. I want to authenticate a user in the applet by means of a JSESSIONID (which is created by the web a

Answer 1

The Java EE container will do most of the work for you. There are a couple of short-cuts you can take depending on with authentication method you use and the details of how the container behaves. I'll ignore those short-cuts for now. I am assuming that the user provides their information to the web application in some form - for example by logging in.

When the user logs in, create a session (if one doe snot already exist) and add their user name (and any other details you like) to the session as session attributes.

When a request comes in that already has a session, just retrieve the user details from the session. The container takes care of mapping the session ID in the request to the right session object and making that available to the request.

If the session ID is invalid, the container will not associate a session object to the request.

One final thing to watch out for is HttpOnly cookies. Containers should be using these by default for session IDs (to protect against XSS attacks). For the session ID to be available to the applet you'll need to disable the HttpOnly protection for the session cookies. This means that if you application has an XSS vulnerability it will be easy for an attacker to steal user session cookies.