1

I am logged in with a different user account, but I have hashmap with the created http session id's in it and I need to invalidate an http session by using sessionid.

Is there any way to do that?

shan
  • 186
  • 2
  • 14
  • Make a servlet that closes its session, then do an http request with the session id. – Maurice Perry Mar 22 '19 at 06:32
  • Possible duplicate of [How can i load Java HttpSession from JSESSIONID?](https://stackoverflow.com/questions/3092363/how-can-i-load-java-httpsession-from-jsessionid) – SirFartALot Mar 28 '19 at 14:27

3 Answers3

0

There is no standard way to remove a session only knowing the session id.

Maybe you can trick the server by sending the fake session id (as cookie or http-parameter) to take over one other's session and try to invalidate it with some of the application's methods (e.g. "logout").

But there is not a JSP or something within tomcat, which can do this.

If you want to invalidate sessions in an application you deploy on that server, you might be interested in How can i load Java HttpSession from JSESSIONID?

SirFartALot
  • 1,215
  • 5
  • 25
0

There is a couple of solutions to this. Solution 1: Described here How can i load Java HttpSession from JSESSIONID? Issue here is we need to store all the sessions created in Map. There is a security risk here.

Solution 2: Implement a logout API something like this. 

    @RequestMapping(value = "/logout", method = RequestMethod.GET)
public ResponseEntity<Resource> logout(HttpServletRequest request, HttpServletResponse response) {
    HttpSession session = request.getSession(false);
    LOG.info("Clean session: sessionId: [{}]", session == null ? "null" : session.getId());
    if (session != null) {
        session.invalidate();
    }

    return new ResponseEntity<>(new Resource<String>(), HttpStatus.OK);
}

When invoking this API, add the following cookie in the header , say your session is 49A77C2ED71E3240FC2CC5DBD20C7CCE then request would be something like this

curl --location --request PUT 'https://your.server.com/<somepath>/logout' \ --header 'Authorization: Some authToken if required' \ --header 'cookie: JSESSIONID=49A77C2ED71E3240FC2CC5DBD20C7CCE; Path=/<somepath>; Secure; HttpOnly'

Raghu K Nair
  • 3,854
  • 1
  • 28
  • 45
-2

You can use under given method

session.invalidate();

OR you can remove all attributes from session and invalidate

Enumeration<String> attributes = request.getSession().getAttributeNames();
while (attributes.hasMoreElements()) {
    String attribute = attributes.nextElement();
    session.removeAttribute(attribute);
}

session.invalidate();
Viren
  • 1
  • 1
  • 1
    the question is how to invalidate a session by its Id. This case is usually required when one is trying to invalidate the session by calling some api from other applications. – blueDexter Feb 04 '20 at 15:33