Welcome to the Java Programming Forums
The professional, friendly Java community. 21,500 members and growing!
The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.
>> REGISTER NOW TO START POSTING
Members have full access to the forums. Advertisements are removed for registered users.
LinkBack URL
About LinkBacks
Servlets and Session tracking cookie's name
In the book "Head first JSP & Servlets", on page 275, they say:
Isn't it a flow from the point of view of security? Wouldn't it be better not to expose the information about the internal system of the server?the specification dictates that
the session tracking cookie
must be JSESSIONID.
Related threads:
Re: Servlets and Session tracking cookie's name
I'm not quite sure what about this concerns you. Are you worried about session hijacking? What trait(s) are you suggesting the JSESSIONID exposes?
Re: Servlets and Session tracking cookie's name
If you know that JSESSIONID is the cookie name, then you know, that server works under servlet technology. Hence, if someone wants to hack the site, he will search for Java vulnerabilities. In contrast, if there's no info about the internal engine of the server, the hacker can't be sure about what vulnerabilities he needs: he may, for instance, assume that the site is written on PHP and waste his time to work in that direction. Also, if some new security flow in Java will be discovered, it's more likely that it will be used against site, who is known for sure to work under Java.
Re: Servlets and Session tracking cookie's name
Ah, now I understand your question. You should be able to change the name on up to date Servlet containers, and this is not against the spec - the quote above refers to an older version. Spec 3.0 states:
The standard name of the session tracking cookie must be JSESSIONID, which must be supported by all 3.0 compliant containers. Containers may allow the name of the session tracking cookie to be customized through container specific configuration
angstrem (June 24th, 2013)
Reply With Quote