JAVA Change JSESSIONID cookie

Question

I'm using JAVA and Wicket on JBOSS 5. I need to change JSESSIONID cookie value to get the same Session used in another client (setting the other client's JSESSIONID). I need that to authenticate the other client that has no keyboard). What is the best way?

Answer 1

If you really want to hack the JSESSIONID (which I don't recommend), you can do the following way:

• Write a Servlet Filter
• In that filter write a wrapper for the HttpServletRequest (a new instance of this class must be passed to the chain.doFilter()) (let's call it RequestWrapper)
• In the RequestWrapper override the getSession(boolean) method

In the getSession(booelan) implementation you have to

• Identify (and remember) the session you want to 'share' with the non-keyboard user (this should come first)
• Identify the situation when you want to make the 'change' (when with some kind of check you identify your non-keyboard user)
• When you have to 'change', you can return the remembered session from the getSession()

The key moment is: How do you identify your non-keyboard user? If you can't do it safely (from the current information you provided I cannot see it), it is a security hole.

Answer 2

I recommend you to implement some kind of auto-login feature in your application. There are a number of possibilities for that (Client Certificate, or Single Sign-On with some other AA provider, even domain cookie).

If you are trying to log in with another application, your options are HTTP Basic Authentication, Client Certificate, or simply posting the username/password to your login page (this one is not the safest, though).

I prefer the Client Certificate, since that is the safest solution.