Implementation of a Session-ID as part of HttpSession?
Question
I am developing a new kind of an HttpServer, I would like to support the HttpServer Java-like functionality how does one implement such a feature?
All I know is that you need to generate a long session-id unique string and send it via a cookie which expires after configurable number of minutes, and you need to renew this cookie upon every response.
but is it secures enough? why no one can try to guess session-ids string and try to hijack someone else session?
2 answers
solution1
0 2011-04-07 12:07:16
If it's long enough, it will stand up to brute force attack for a while. If you don't use SSL somebody else could be able to 'sniff' the session key over the network.
solution2
0 2011-04-07 12:21:18
The SecureRandom class is a good place to start if you want to start generating good-enough session IDs. There are a few other things to watch out for, most notably the size of the generated ID amongst others. You could refer to the the paper " Secure Session Management With Cookies for Web Applications " for additional details. The section discussing the generation of entropic values is probably what you need.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.