1

I have a web application running on JBoss server based on JSF framework. I need to redirect my request to an entirely new web application running on some other server and on some other machine geographically located.

My doubt is if I redirect the request from my web page to another web application web page will it expose the session parameter at the other end. I have some very critical information stored in the session and I cannot afford to expose the details to another web application..

Along with the redirect request I would be sending some parameters to the remote web application which will use these parameters for certain mathematical computation.

Can anyone guide me on this?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
AngelsandDemons
  • 2,823
  • 13
  • 47
  • 70
  • 1
    How exactly could the other web application see your session attributes? – BalusC Mar 01 '12 at 12:51
  • Possibly I am asking a question..Is it possible for the other web application to see what is present in the session..I am confused.Because inside a session I am redirecting the user to another web application with some values being stored in the session – AngelsandDemons Mar 01 '12 at 12:58
  • 2
    You seem to be a hobbyist/self-learner who is completely new to web development. In that case, this answer is perhaps enlightenend: http://stackoverflow.com/questions/3106452/how-do-servlets-work-instantiation-session-variables-and-multithreading/3106909#3106909 Otherwise, just start learning HTTP. – BalusC Mar 01 '12 at 13:01

2 Answers2

2

Is it possible for the other web application to see what is present in the session

No. That would have been a huge security hole throughout the current world wide web. Think about it once again, are you able to see what for example google.com and stackoverflow.com have in its session? No? Then the other web application definitely also can't. All which the web application can see from outside is the sole incoming HTTP request in its entirety.

This problem/question has at least nothing to do with JSF.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Thanks for the enlightment.Out of curiosity I asked this question..The example provided by you is good enough to get the answer for my question..Thanks again... – AngelsandDemons Mar 03 '12 at 05:21
1

If you invalidate the session before the redirect then it doesn't matter if the external web application sees your session cookie. They couldn't turn around and emulate requests on your session anyway because the session is no longer valid.

request.getSession().invalidate();

I don't think this will be an issue though because I doubt that the request header to another web application would include the same session cookie.

maple_shaft
  • 10,435
  • 6
  • 46
  • 74
  • But does invalidating means that I am terminating the session at my web application also..Because I want the user to forward to a remote web application..User will come back to my web application and I should be able to retrieve the values stored in the session.Else the entire purpose of the session would be lost for my web application...Will my web application session terminate? – AngelsandDemons Mar 01 '12 at 13:00
  • @Hukamanata Yes that would terminate the users session on your web application, but BalusC is right, unless you code your web application to do so, your web applications session cookie will not be available to the external web application. That application will have a seperate session cookie for that user. – maple_shaft Mar 01 '12 at 13:15