Home / Frreesexcams / Tomcat not invalidating sessions

Tomcat not invalidating sessions

Hi, I am calling session.invalidate() in my web application but this does not remove the JSESSIONID cookie.

So one of our customers has raised this as a security threat.

It's called JSESSIONID - It is an internal cookie (which you cannot manipulate) on the server. What we're after is someone who's done the session implementation but without any cookies - so classes that we then don't have to write - adding, removing things from sessions etc .... Cookies are useful only when you want to persist certain information with that client.

Once you response.encode URL(url); The server will automatically append ";jsessionid= Wierd. And take back the same information when he signs in next. You can enable the URL Rewriting which is supported by all the servers.

I will try and put the problem differently: I have a web application which presents a login page to the user.

User enters his user id and password and is logged in.

u have that option in the server for session tracking.

In which case - what I'm after is a set of code that someone else has already written that provides the same kind of functionality - so that we don't have to write it! But what I'm after - is avoiding writing a load of code to deal with this.

URL to something somewhere where someone has written code that provides session functionality WITHOUT using browser (client-side) cookies. All you need to do is encode your URL's (to include the session id) There's nothing more that you need to do.

So, sample code/URL's/articles would be most welcome if at all possible.

First, disable cookies in your browser then try the following test code.

545 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*