Java servlet cookie session security

Question

I am creating a website in tomcat 7 using servlets. I plan on using cookies to keep track of user sessions. I have set the cookies to expire within 10 minutes.

My question is, If a hacker was able to steal the cookie from a user before it expired. Can the hacker change the expiration date on the cookie and use the cookie at a later time to steal the users session. I just wanted to see if this was possible as I'm trying to secure my site.

The session dies on the server when the server decides, not when the cookie says. — Neil McGuigan, Aug 01 '15 at 10:31

score 0 · Accepted Answer · answered Jul 31 '15 at 20:56

0

If after 10 minutes this cookie is removed from your server storage (and your authentication logic is base on comparing cookie's value from your storage and from browser) then it's not possible to steal session.

answered Jul 31 '15 at 20:56

ka4eli

5,294
3
23
43

Java servlet cookie session security

1 Answers1