Can someone who merely knows my current JSESSIONID impersonate / hijack my session (Tomcat 7/Glassfish 3.2))?

橙三吉。 提交于 2019-12-04 05:11:59

Q: Can someone who merely knows my current JSESSIONID impersonate / hijack my session?

A: Yes.

That's why it is important that your site is careful with cookies. Indeed, if you are worried about packet sniffing, this means that you should only send the session cookie when the request was made over an HTTPS connection1. And setting the 'httpOnly' flag helps things by stopping client-side javascript, etc from using the cookie.

Q: In what scenarios JSESSIONID will be part of the URL

A: Typically, this happens when the webserver (at the container level) puts the session token into the URL:

  • as a workaround for the user's browser not setting cookies, or
  • to make the URL "suitable" for bookmarking or sending to someone else via an email.

Obviously, this is insecure and "bad practice" ... though a short session timeout does tend to mitigate this. (Alternatively, it is OK over HTTPS ... provided that the user doesn't share the URL with other people1.)


For Tomcat 6.x, I believe that the way to prevent the container from (ever) adding the session id to the URL is to add the disableURLRewriting="false" attribute to the context.

For Tomcat 7:

Context.disableURLRewriting: This has been removed. An equivalent effect can be obtained by configuring the session-config/tracking-mode elements in a web application or in the global CATALINA_BASE/conf/web.xml file.


1 - This assumes that you have patched (etc) your webserver to address the known SSL end-point vulnerabilities. If not, your HTTPS connections may be insecure.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!