You don't actually have to mess with the session id itself, unless maybe you are using loadbalancing and this may be needed for that. But if you are just using one server, you don't have to do anything with it yourself. The session id tells your servlet container, lets say Tomcat, where to get the session for this user. So when you call session.getAttribute("username")
or session.setAttribute("username", userid)
or something like that, it knows which session to pull that from or save it to by the session id. But you only have to deal with the attributes that you store in the session.
To prevent session crossover you can store the user's IP and user-agent in the session and in each page compare the values in the request for IP and user-agent to the ones in the session, and if they don't match, invalidate the session (i.e. session.invalidate()
) and redirect to the login page (i.e. response.sendRedirect("loginform.jsp"); return;
) since this could mean that someone intercepted someone else' session cookie.
And if you are requiring a user to login, on each page you would want to check that the session attribute containing the username is not null, and redirect to the login page if it is.