Servlet Session - switch from URL Rewriting to Cookie

Situation: I have a "dumb" Javascript frontend that can contact some kind of SSO middleware (MW). The MW can obtain sessions by issuing requests that contain authentication credentials (username, password). I.e. the session will be created for a certain user.

My frontend needs to "restart" the session to gain the user's permissions to the target system. For that i need a valid session cookie.

The target system is not under my control (could be a more or less public WFS, WMS, etc.), so i cannot add any SSO mechanism to it.

Question: Is it possible to "steal" a Session forging a request which URL contains a valid session ID in the jsessionid parameter?

Goal : Issue such a request to a Servlet and make it respond with a Set-Cookie header that contains the same id. That way the frontend joins the session and may do whatever the user, which was used to create the session, is able to do.

Answers


Your best bet is a shared datasource (RDBMS?) where the shared information is stored with some long, auto-generated, unique identifier as key (java.util.UUID maybe?) and then pass this key around.


Need Your Help

Validation of youtube video through url id

php validation youtube

I am using php and yt API to determine if a video exists. I have implemented two functions two help me along this cause. The issues is with the function isYoutubeVideo is returning me null value w...

Search for text of prices, perform a function, and replace with output

javascript jquery regex replace

I want to be able to find text of prices on a given page that matches a regular Expression, perform a function on it, then replace the output.