Class SessionUtil

java.lang.Object
fc.web.servlet.SessionUtil
public final class SessionUtil extends Object
Misc utility methods for sessions and cookies.

  • Constructor Summary

    Constructors
    Constructor
    Description
    SessionUtil()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    static void
    deleteTestCookie(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
    Removes the test cookies if previously set.
    static boolean
    hasTestCookie(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
    Returns true if the browser accepts cookies.
    static String
    newSessionID()
    Returns a new session identifier.
    static void
    setTestCookie(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
    Sets a test cookies.

    Methods inherited from class Object

    equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

  • Method Details

    • setTestCookie

      public static void setTestCookie(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
      Sets a test cookies. The user should be redirected to this or some other page after calling this method and the presence of this cookie can be checked via hasTestCookie(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse) from that page. The lifetime of the test cookie is set to the browsers lifetime (will be lost when the browser exits).

    • hasTestCookie

      public static boolean hasTestCookie(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
      Returns true if the browser accepts cookies. The
      invalid reference 
      setTestCookie()
      method must have been invoked by some page prior to calling this method AND the user must have been either redirected to that or some other page AND this method must be invoked from that redirected page.

      Note: Test cookies are entirely self contained. They are meant to figure out if a browser accepts cookies. Their presence or absence does not mean that other cookies will not be sent by the browser. These other cookies may point to a expired session in memory or database and a seperate check for that should be made.

    • deleteTestCookie

      public static void deleteTestCookie(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
      Removes the test cookies if previously set. Normally, the test cookie set by the setTestCookie(HttpServletRequest, HttpServletResponse) method is automatically removed when the browser exists, but this method allows removing it before such time.

    • newSessionID

      public static String newSessionID()
      Returns a new session identifier. 
      See: cookies.lcs.mit.edu
See: www.across.si

There are 2 issues with generating sessionid's. 

1) uniqueness - 2 or more sessionid's should not end up being 
   the same.
2) hard-to-guess - For example, sequential values like 
   1, 2, 3 are unique but easy to guess and therefore easy
   to session hijack.

Our sessionid's have 2 parts:
a) a timestamp for guaranteed uniqueness  (easy to guess)
b) random data (hard to guess)