Version 4.10.0
Class SuppressUnwantedSessions

  extended by
All Implemented Interfaces:

public class SuppressUnwantedSessions
extends Object
implements Filter

Suppress the creation of unwanted sessions.

Using this filter means that browsers must have cookies enabled. Some users believe that disabling cookies protects them. For web applications, this seems unadvisable since its replacement -- URL rewriting -- has a much higher security risk. URL rewriting is dangerous since it is a vector for session hijacking and session fixation.

This class can be used only when form-based login is used. When form-based login is used, the generation of the initial JSESSIONID cookie is done only once per session, by the container. This filter helps you enforce the policy that form-based login should be the only time a session cookie is generated.

Superfluous sessions and session ids represent a security risk. Here, the following approach is taken:

Note how the container and the web application work together to manage the JSESSIONID cookie.

It's unfortunate that the Servlet API and Java Server Pages make it a bit too easy to create new sessions. To circumvent that, this filter uses custom wrappers for the underlying HTTP request and response. These wrappers alter the implementations of the following methods related to creating sessions :

Calls to the getSession methods are in effect all coerced to getSession(false). Since this doesn't affect the form-based login mechanism, the user will still receive a JSESSIONID cookie during form-based login. This policy ensures that your code cannot mistakenly create a superfluous session.

The encodeXXX methods are no-operations, and simply return the given String unchanged. This policy in effect disables URL rewriting. URL rewriting is a security risk since it allows session ids to appear in simple links, which are subject to session hijacking.

As a convenience, this class will also detect sessions that do not have a user login, and will log such occurrences as a warning.

Constructor Summary
Method Summary
 void destroy()
          This implementation does nothing.
 void doFilter(ServletRequest aRequest, ServletResponse aResponse, FilterChain aChain)
 void init(FilterConfig aFilterConfig)
          This implementation does nothing.
Methods inherited from class Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail


public SuppressUnwantedSessions()
Method Detail


public void doFilter(ServletRequest aRequest,
                     ServletResponse aResponse,
                     FilterChain aChain)
              throws IOException,
Specified by:
doFilter in interface Filter


public void init(FilterConfig aFilterConfig)
This implementation does nothing.

Specified by:
init in interface Filter


public void destroy()
This implementation does nothing.

Specified by:
destroy in interface Filter

Version 4.10.0

Copyright Hirondelle Systems. Published October 19, 2013 - User Guide - All Docs.