1

I have a Tomcat 7 web server. After login to it I can see under Cookies that there is jsessionid which, from what I have read is saving the id of the session instance between the user and the web server.

But the thing I cannot understand is that after I login and I stay in the browser. I can stop the server, even un install it from the system and re-install it. and then after I restart it I can continue navigating in the website without needing to enter credentials or anything like that, as if nothing happened in the background - I just can move on with the same jesssionId.

So basically I will divide my question into sub-question so it will be easier to answer: 1. How is it even possible that after stopping the service or even un install it it can still happen? 2. How excatly is the jesessionID created? I mean is it possible that it is the same jsession id? 3.When exactly does the jsessionID is being created? 4. Is it possible to change this behavior and "invalidate" the session so the user will have to re-enter his credentials? 5. Following question #4, what is common in most of the services? demand to login again or to enable the use of the old session id ?

Thanks a lot!

slashms
  • 928
  • 9
  • 26
  • If you're on a higher version than Tomcat 6 you can go kill the session in the manager application. – developerwjk Nov 09 '15 at 21:32
  • Can you please elaborate? when do I do that? how do I do that programmaticaly when the server is down? etc. Any idea about the rest of the questions? – slashms Nov 09 '15 at 21:35

1 Answers1

3

In answer to your questions:

  1. Tomcat's session Manager will serialize session data and save it to a file to persist it across restarts. You can disable this.
  2. Tomcat's SessionId Generator determines the exact way the id is created.
  3. Here a good answer for when session ids are created: Under what conditions is a JSESSIONID created?
  4. If your goal is to invalidate sessions after a Tomcat restart, you can do this by disabling session persistence.
  5. Typically a user would want to be considered "logged in" until they click a "log out" link or button in your application. You can also adjust the session expiration time if you want the session to expire after a period of inactivity. How exactly this should work is up to you and depends on your application's use cases.
Community
  • 1
  • 1
worpet
  • 3,788
  • 2
  • 31
  • 53