getting HttpSession object using session Id

Discussions

Web tier: servlets, JSP, Web frameworks: getting HttpSession object using session Id

  1. whenever user logon to the application we are storing sessionid in the db. (we delete this entry once session expires). CSR can access this table and get all users information, also he can invalidate any users session. For implementing this, CSR can get other user's session id. Is there any way we can get Users' session object using session id, so that I can call invalidate() method???

    I appreciate your help.
  2. I don't think you can do that any more. Before, using HttpSessionContext one could call getSession(id) and that would return the session. But that seems to violate the security. Imagine somebody getting hold somebody else's session like youa re trying to do..:). Any way from Servlet spec 2.1, this method is deprecated and would return you null if you want to use it.

    I think of an alternat way you can do is to serialize the session itself in the datebase against the session id and user name. I don't know whether that would be useful for you or not. But whether you serialize or not, servlet engine would invalidate the session once the timeout is reached. You can't access the current running sessions just by using session id.
  3. If you are using a Servlet 2.3+ container, you can use a HttpSessionListener to store a copy of the session in a global map, keyed by sessionId. This global map could be stored as an attribute of the ServletContext. You can then write an admin utility to invalidate() sessions using this map. Be sure to remove the session from the map in the HttpSessionListener.sessionDestroyed() method.

    On older servers, you can store the session in the Map when the user logs in. This is a bit riskier because you have no easy way to remove the session from the Map when the session is destroyed. You might be circumvent the removal problem by using a WeakHashMap to store session objects.