Search code examples
javasessionwicketjsessionid

JAVA Change JSESSIONID cookie

I'm using JAVA and Wicket on JBOSS 5. I need to change JSESSIONID cookie value to get the same Session used in another client (setting the other client's JSESSIONID). I need that to authenticate the other client that has no keyboard). What is the best way?

Solution

  • If you really want to hack the JSESSIONID (which I don't recommend), you can do the following way:

    • Write a Servlet Filter
    • In that filter write a wrapper for the HttpServletRequest (a new instance of this class must be passed to the chain.doFilter()) (let's call it RequestWrapper)
    • In the RequestWrapper override the getSession(boolean) method

    In the getSession(booelan) implementation you have to

    • Identify (and remember) the session you want to 'share' with the non-keyboard user (this should come first)
    • Identify the situation when you want to make the 'change' (when with some kind of check you identify your non-keyboard user)
    • When you have to 'change', you can return the remembered session from the getSession()

    The key moment is: How do you identify your non-keyboard user? If you can't do it safely (from the current information you provided I cannot see it), it is a security hole.