17

I want to get Java HttpSession by JSESSIONID. Is it possible? If yes, how?

Jasper de Vries
  • 19,370
  • 6
  • 64
  • 102
Tushar Ahirrao
  • 12,669
  • 17
  • 64
  • 96

3 Answers3

33

You'll basically need to manually collect them all in a Map using a HttpSessionListener yourself.

@WebListener
public class HttpSessionCollector implements HttpSessionListener {
    private static final Map<String, HttpSession> SESSIONS = new ConcurrentHashMap<>();

    @Override
    public void sessionCreated(HttpSessionEvent event) {
        HttpSession session = event.getSession();
        SESSIONS.put(session.getId(), session);
    }


    @Override
    public void sessionDestroyed(HttpSessionEvent event) {
        SESSIONS.remove(event.getSession().getId());
    }

    public static HttpSession find(String sessionId) {
        return SESSIONS.get(sessionId);
    }
}

Then, anywhere you want just do HttpSessionCollector.find(sessionId) to get the HttpSession in question.

That said, this is a huge smell. There are certainly better ways to solve the actual functional requirement than this ;) As I commented in your follow-up question:

This is the 2nd time that you asked a question which in real world should never be practiced. Honestly said, this all smells. What is it, the problem for which you think that getting the HttpSession associated with JSESSONID in server side and getting the JSESSIONID value in client side is "the" solution? Elaborate about this in a new question, you'll get answers how to do it the right way.

Take it serious. We're not teasing you, we're just trying to help you in the right direction to avoid that your project/webapp will break due to security holes and bad practices and/or that you will get fired.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Maybe I can explain why I found myself asking the same question and you can explain why this isn't what I should want: I assume that my server should store details in the HTTPSession, and return its sessionID (HttpSession.getId()) to the client, so the client can store it in a cookie. Then the client can provide the cookie to the server, a few days later, to be using that same session again. But that would need the server to be able to retrieve the HTTPSession based on that session ID, and/or somehow make that the active session. But I'm still exploring the whole idea. (I'm using GWT.) – murrayc Dec 07 '12 at 15:50
  • @murrayc: by default, the session is timed out after 30 minutes of inactivity. See also http://stackoverflow.com/questions/3106452/how-do-servlets-work-instantiation-session-variables-and-multithreading/3106909#3106909 and http://stackoverflow.com/questions/2185951/java-how-do-i-keep-a-user-logged-into-my-site-for-months/2186072#2186072 – BalusC Dec 07 '12 at 15:57
  • 1
    Ah, I now understand that HTTPSession (or its implementation in Tomcat, or something) automatically sets the JSESSIONID cookie, and later (but before the user has closed his browser) makes sure that the HTTPSession has that JSESSIONID from the cookie. So I don't need to do that. I also now understand that I wouldn't want to use the regular JSESSIONID cookie to persist a login across browser sessions, because a) that's not what it's for and b) that would not be efficient. So I'll use a separate cookie. – murrayc Dec 07 '12 at 21:48
  • 2
    @BalusC The Servlet spec doesn't actually say it is valid to use a HttpSession object outside the request thread it belongs to, so you shouldn't hold on to them. Better to just keep the sessionId and maybe some of your own data in the collection. Background: some containers recreate or recycle HttpSession objects so you f ex can't synchronize on them, see http://stackoverflow.com/questions/9802165/is-synchronization-within-an-httpsession-feasible, https://forum.hibernate.org/viewtopic.php?f=7&t=934936, https://forums.oracle.com/message/2973388 – mikewse Nov 04 '13 at 17:02
2

You can do it as per BalusC's answer, but the existence of such a facility is a prima facie security breach between different users. You shouldn't be building things like this into your application.

user207421
  • 305,947
  • 44
  • 307
  • 483
1

No, the API does not permit this.

I'd say more, but that's about all there is to it.

skaffman
  • 398,947
  • 96
  • 818
  • 769