Using the Session managed provided by Java's Servlet API through the HttpSession interface, a cookie JSESSIONID is created. And this cookie is used to validate if the user has a created session or not.
But, does the Servlet validate that this JSESSIONID value comes from the same machine that created the session?
I know that a XSS (Cross-site Scripting) attack can steal session cookies from users, but when the malicious user sends JSESSIONID back to the server, is he/she able to retrieve the contents of the session? Or the server validates the IP of the user sending JSESSIONID?
No, it didnot check if the ipaddress same between subsequent request in same session. However, you can get that ip address and save in session with other name and can check by your sel
When a session is created for a user,
HTTP is a stateless protocol, JSESSIONID value (either in form of cookie or as a URL parameter) is passed in each request to instruct the server that the requests belong to a session represented by the JSESSIONID value. The server maintains session objects using JSESSIONID as a key which is used to associate session object with a request. It does not maintain relationship between client ip and session id, if this is what you meant by "server validates IP of the user sending the JSESSIONID". So it doesn't perform client IP validation for a given session id.
No, the server does not validate the ip address. That is the reason why there can be chances of session stealing. And, Servlet introduced some measure to avoid them.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.