Does a Java session (HttpSession) validate IP addresses?

Question

Using the Session managed provided by Java's Servlet API through the HttpSession interface, a cookie JSESSIONID is created. And this cookie is used to validate if the user has a created session or not.

But, does the Servlet validate that this JSESSIONID value comes from the same machine that created the session?

I know that a XSS (Cross-site Scripting) attack can steal session cookies from users, but when the malicious user sends JSESSIONID back to the server, is he/she able to retrieve the contents of the session? Or the server validates the IP of the user sending JSESSIONID?

Answer 1

No, it didnot check if the ipaddress same between subsequent request in same session. However, you can get that ip address and save in session with other name and can check by your sel

Answer 2

When a session is created for a user,

• a session id is created on server side.
• This session id is sent to the browser who sent the request
• this id is stored in a cookie called JSESSIONID
• Browser sends this cookies for subsequent request
• Server knows the session id on server side and validates with the one in cookies
• ip address is not checked for subsequent request. Session is identified using jsessionid

Answer 3

HTTP is a stateless protocol, JSESSIONID value (either in form of cookie or as a URL parameter) is passed in each request to instruct the server that the requests belong to a session represented by the JSESSIONID value. The server maintains session objects using JSESSIONID as a key which is used to associate session object with a request. It does not maintain relationship between client ip and session id, if this is what you meant by "server validates IP of the user sending the JSESSIONID". So it doesn't perform client IP validation for a given session id.

Answer 4

No, the server does not validate the ip address. That is the reason why there can be chances of session stealing. And, Servlet introduced some measure to avoid them.