using session managed provided java's servlet api through httpsession interface, cookie jsessionid created. , cookie used validate if user has created session or not.
but, servlet validate jsessionid value comes same machine created session?
i know xss (cross-site scripting) attack can steal session cookies users, when malicious user sends jsessionid server, he/she able retrieve contents of session? or server validates ip of user sending jsessionid?
when session created user,
- a session id created on server side.
- this session id sent browser sent request
- this id stored in cookie called jsessionid
- browser sends cookies subsequent request
- server knows session id on server side , validates 1 in cookies
- ip address not checked subsequent request. session identified using jsessionid
Comments
Post a Comment