Can a HttpSession created on Java be accessed using $_SESSION of PHP

Question

Im currently working on a portal that will cater a consolidated login for a JSP and a PHP web application.

I want to try if its possible for the 2 application to share the same session.

Answer 1

There's no single answer to your question, but it depends on how you approach this task.

In general, sharing sessions between services is discouraged for the same reasons as sharing the same database between applications. You create a dependency between two parties and it gets very easy to break things.

To your actual question: If you represent a session as Redis hash (map/dictionary data structure) using ASCII/UTF-8 keys and values, you should be able to access the data from both applications.

In any case, it would be safer from a development point of view to provide a handover endpoint which is asked by the other application to retrieve metadata about a particular session. The endpoint can be specified properly and gets more visibility reducing the risk of breaking things.

This type of question usually reveals architectural issues as you're attempting to address a concern on a non-appropriate level.

Answer 2

I wouldn't go for the same session, even if someone later comes up with an answer on how to make it possible. However, in your original question it sounds like the problem is that you want to login only once. The shared session is the solution that you came up with.

It turns out that there is a perfect fit for your original problem - it just doesn't involve your envisioned solution. Instead, it's called SSO, "Single Sign On". In such a system, you're authenticating to a (potentially) third system, which validates the username/password and communicates this to all webapplications that delegate authentication to it. This way, you're authenticating to a single place, and can immediately be signed in to every other system.

Think Facebook- or Google-Login on any site. If you run SSO on your own server, you can even configure it to transparently login when the SSO already knows you, so that the redirect through your SSO is invisible to the user unless they closely watch the browser's location bar.