Welcome to the Java Programming Forums


The professional, friendly Java community. 21,500 members and growing!


The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


>> REGISTER NOW TO START POSTING


Members have full access to the forums. Advertisements are removed for registered users.

Results 1 to 4 of 4

Thread: Servlets and Session tracking cookie's name

  1. #1
    Member angstrem's Avatar
    Join Date
    Mar 2013
    Location
    Ukraine
    Posts
    200
    My Mood
    Happy
    Thanks
    9
    Thanked 31 Times in 29 Posts

    Default Servlets and Session tracking cookie's name

    In the book "Head first JSP & Servlets", on page 275, they say:
    the specification dictates that
    the session tracking cookie
    must be JSESSIONID.
    Isn't it a flow from the point of view of security? Wouldn't it be better not to expose the information about the internal system of the server?


  2. #2
    Administrator copeg's Avatar
    Join Date
    Oct 2009
    Location
    US
    Posts
    5,307
    Thanks
    181
    Thanked 824 Times in 767 Posts
    Blog Entries
    5

    Default Re: Servlets and Session tracking cookie's name

    I'm not quite sure what about this concerns you. Are you worried about session hijacking? What trait(s) are you suggesting the JSESSIONID exposes?

  3. #3
    Member angstrem's Avatar
    Join Date
    Mar 2013
    Location
    Ukraine
    Posts
    200
    My Mood
    Happy
    Thanks
    9
    Thanked 31 Times in 29 Posts

    Default Re: Servlets and Session tracking cookie's name

    If you know that JSESSIONID is the cookie name, then you know, that server works under servlet technology. Hence, if someone wants to hack the site, he will search for Java vulnerabilities. In contrast, if there's no info about the internal engine of the server, the hacker can't be sure about what vulnerabilities he needs: he may, for instance, assume that the site is written on PHP and waste his time to work in that direction. Also, if some new security flow in Java will be discovered, it's more likely that it will be used against site, who is known for sure to work under Java.

  4. #4
    Administrator copeg's Avatar
    Join Date
    Oct 2009
    Location
    US
    Posts
    5,307
    Thanks
    181
    Thanked 824 Times in 767 Posts
    Blog Entries
    5

    Default Re: Servlets and Session tracking cookie's name

    Ah, now I understand your question. You should be able to change the name on up to date Servlet containers, and this is not against the spec - the quote above refers to an older version. Spec 3.0 states:

    The standard name of the session tracking cookie must be JSESSIONID, which must be supported by all 3.0 compliant containers. Containers may allow the name of the session tracking cookie to be customized through container specific configuration

  5. The Following User Says Thank You to copeg For This Useful Post:

    angstrem (June 24th, 2013)

Similar Threads

  1. Cookie Jar Program Issues
    By NoranPrease in forum What's Wrong With My Code?
    Replies: 10
    Last Post: May 16th, 2012, 02:04 PM
  2. atlas tracking and webtrend tracking
    By mrsreddy65@gmail.com in forum Java Theory & Questions
    Replies: 0
    Last Post: August 17th, 2011, 06:01 AM
  3. atlas tracking
    By mrsreddy65@gmail.com in forum Threads
    Replies: 3
    Last Post: August 16th, 2011, 04:54 AM