I explained in previous chapter if browser has disabled the cookie then use hidden form field for session tracking. But in hidden form field user easily can identified by seeing URL that what are all the information transmitting in query string-
e.g.
http://serverhost:port/applicationname/servlet.do?username=xxx&age=xx&..................
So, we can say end user easily can stole the information and hack the data if http request method is GET.
But Java provides another way of session tracking URL Rewriting. In this mechanism requested URL will be modified by adding some extra information. Extra information is nothing but placing a session id in the URL called jsessionid.
The question comes in mind what is JSESSIONID and why it is necessary?
The answerw will be- If Web server is using cookie for session management/tracking it creates and sends JSESSIONID cookie in the response to the client and then client sends it back to server in subsequent http requests. So, we can say this is a one identifier to identify the cookie, If client has disabled cookie then Container uses URL rewriting for managing session on which jsessionid is appended into URL as shown below-
e.g.
http://serverhost:port/applicationname/servlet.do;jsessionid=363F3D316
Let's create example to understand URL rewriting. In this example doGet() method of servlet encoding the url and then writing to the out stream.
But make sure URL rewriting has significant security risks. Session id appears in the URL, it may be easily seen by third parties and end user can-
It's possible that some web sites may use cookies to track user browsing patterns. As a result, some users turn off cookies in an attempt to protect their privacy. However, given the seriousness of the above security issue, many would argue that turning off cookies is actually much worse for user privacy. That is, the risk of compromising personal data through session hijacking seems to far outweigh concerns about tracking personal browsing patterns.
Next chapter I will explain about session. click here to go to next chapter
e.g.
http://serverhost:port/applicationname/servlet.do?username=xxx&age=xx&..................
So, we can say end user easily can stole the information and hack the data if http request method is GET.
But Java provides another way of session tracking URL Rewriting. In this mechanism requested URL will be modified by adding some extra information. Extra information is nothing but placing a session id in the URL called jsessionid.
The question comes in mind what is JSESSIONID and why it is necessary?
The answerw will be- If Web server is using cookie for session management/tracking it creates and sends JSESSIONID cookie in the response to the client and then client sends it back to server in subsequent http requests. So, we can say this is a one identifier to identify the cookie, If client has disabled cookie then Container uses URL rewriting for managing session on which jsessionid is appended into URL as shown below-
e.g.
http://serverhost:port/applicationname/servlet.do;jsessionid=363F3D316
Let's create example to understand URL rewriting. In this example doGet() method of servlet encoding the url and then writing to the out stream.
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
java.io.PrintWriter out = response.getWriter();
String contextPath = request.getContextPath();
String encodedUrl = response.encodeURL(contextPath +
"/WelcomePage.jsp");
out.println("<html>");
out.println("<head>");
out.println("<title>URL Rewriter</title>");
out.println("</head>");
out.println("<body><center>");
out.println("<h2>URL rewriting Example</h2>");
out.println("For welcome page - <a href=\"" + encodedUrl+ "\">
Click Here</a>."); out.println("</center></body>"); out.println("</html>"); }
WelcomePage.jsp page
<html>
<body>
<h2 align="center">Welcome to URL rewriting example</h2>
</body>
</html>
But make sure URL rewriting has significant security risks. Session id appears in the URL, it may be easily seen by third parties and end user can-
- end users often copy and paste such links without knowing the attached session id compromises their security
- server log files usually record the 'Referer' header, which will record session ids in the log
It's possible that some web sites may use cookies to track user browsing patterns. As a result, some users turn off cookies in an attempt to protect their privacy. However, given the seriousness of the above security issue, many would argue that turning off cookies is actually much worse for user privacy. That is, the risk of compromising personal data through session hijacking seems to far outweigh concerns about tracking personal browsing patterns.
Next chapter I will explain about session. click here to go to next chapter
No comments:
Post a Comment