If you really want to hack the JSESSIONID
(which I don't recommend), you can do the following way:
- Write a Servlet Filter
- In that filter write a wrapper for the
HttpServletRequest
(a new instance of this class must be passed to thechain.doFilter()
) (let's call itRequestWrapper
) - In the
RequestWrapper
override thegetSession(boolean)
method
In the getSession(booelan)
implementation you have to
- Identify (and remember) the session you want to 'share' with the non-keyboard user (this should come first)
- Identify the situation when you want to make the 'change' (when with some kind of check you identify your non-keyboard user)
- When you have to 'change', you can return the remembered session from the
getSession()
The key moment is: How do you identify your non-keyboard user? If you can't do it safely (from the current information you provided I cannot see it), it is a security hole.