Java – Understanding JSessionId across multiple domains

javajsessionid

I'm trying to understand the uniqueness and scope of a JSessionId, as it relates across multiple, unreleated domains.

I've read Under what conditions is a JSESSIONID created?, and still have some questions —

Specifically:

If a user visits www.app1.com, and that app makes a call to www.app2.com to load data, are two jsessionId's created – one for each domain?

Likewise, when the call goes out to www.app2.com, is any information about the jsessionid from www.app1.com passed along?

What impact do redirects have on this? (Eg., requesting http://app1.com/login.jsp redirects to http://app2.com/login.jsp)

Best Answer

If a user visits www.app1.com, and that app makes a call to www.app2.com to load data, are two jsessionId's created - one for each domain?

Yes. More accurately every separate WebApp will issue its own cookie for its domain. So www.app1.com/1 and www.app1.com/2 will have different cookies if different webapps are mapped.

Likewise, when the call goes out to www.app2.com, is any information about the jsessionid from www.app1.com passed along?

No, but read up about XSS and CSRF on why securing your app is good, because it isn't hard to inject scripts that pass along your cookie to another url.

What impact do redirects have on this? (Eg., requesting http://app1.com/login.jsp redirects to http://app2.com/login.jsp)

None whatsoever. If you happen to be already loggged on to both, you'll probably be logged on afterwards. Logging off one doesn't affect the other. (If you want true single on/single sign off, both apps must trust a 3rd party like CAS server or Kerberos server).

Related Solutions

Java – Multiple line code example in Javadoc comment

In addition to the already mentioned <pre> tags, you should also use the @code JavaDoc annotation, which will make life much easier when it comes to HTML entities issues (in particular with Generics), e.g.:

* <pre>
* {@code
* Set<String> s;
* System.out.println(s);
* }
* </pre>

Will give correct HTML output:

Set<String> s;
System.out.println(s);

While omitting the @code block (or using a <code> tag) will result in HTML like this:

Set s;
System.out.println(s);

For reference, a full list of tag descriptions available in Java SE 8 can be found here.

Java – Under what conditions is a JSESSIONID created

JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time. If you just want to get the session, but not create it if it doesn't exist, use request.getSession(false) -- this will return you a session or null. In this case, new session is not created, and JSESSIONID cookie is not sent. (This also means that session isn't necessarily created on first request... you and your code are in control when the session is created)

Sessions are per-context:

SRV.7.3 Session Scope

HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.

(Servlet 2.4 specification)

Update: Every call to JSP page implicitly creates a new session if there is no session yet. This can be turned off with the session='false' page directive, in which case session variable is not available on JSP page at all.

Best Answer

Related Solutions

Java – Multiple line code example in Javadoc comment

Java – Under what conditions is a JSESSIONID created

Related Topic