Search code examples
javasessionservletscookieshttpsession

Does a Java session (HttpSession) validate IP addresses?

Using the Session managed provided by Java's Servlet API through the HttpSession interface, a cookie JSESSIONID is created. And this cookie is used to validate if the user has a created session or not.

But, does the Servlet validate that this JSESSIONID value comes from the same machine that created the session?

I know that a XSS (Cross-site Scripting) attack can steal session cookies from users, but when the malicious user sends JSESSIONID back to the server, is he/she able to retrieve the contents of the session? Or the server validates the IP of the user sending JSESSIONID?

Solution

  • When a session is created for a user,

    • a session id is created on server side.
    • This session id is sent to the browser who sent the request
    • this id is stored in a cookie called JSESSIONID
    • Browser sends this cookies for subsequent request
    • Server knows the session id on server side and validates with the one in cookies
    • ip address is not checked for subsequent request. Session is identified using jsessionid