How can I recreate HttpSession (with cookie, on servlet filters) using JSESSIONID from still active session, passed in request?
Thanks for help.
A:
What you are trying to do is hijack the session. As the name suggests this is a security hole in your application because a malicious user could use the same mechanism to impersonate a good user.
To hijack the session the second client (the mobile browser in your case) is going to have to know the session id, so avoiding the log-in isn't really getting you anything because you're just replacing it with entering the session id.
Nick Holt
2009-07-21 07:42:31
A:
This is in theory a terrible and error-prone solution. The real solution lies somewhere else. Store the data of interest in some datastore (SQL database?) which is associated with the logged-in user. This way you can just access the same data on every login, regardless of the client application and machine used.
BalusC
2010-01-04 14:05:53