views:

43

answers:

1

Situation: I have a "dumb" Javascript frontend that can contact some kind of SSO middleware (MW). The MW can obtain sessions by issuing requests that contain authentication credentials (username, password). I.e. the session will be created for a certain user.

My frontend needs to "restart" the session to gain the user's permissions to the target system. For that i need a valid session cookie.

The target system is not under my control (could be a more or less public WFS, WMS, etc.), so i cannot add any SSO mechanism to it.

Question: Is it possible to "steal" a Session forging a request which URL contains a valid session ID in the jsessionid parameter?

Goal : Issue such a request to a Servlet and make it respond with a Set-Cookie header that contains the same id. That way the frontend joins the session and may do whatever the user, which was used to create the session, is able to do.

A: 

Your best bet is a shared datasource (RDBMS?) where the shared information is stored with some long, auto-generated, unique identifier as key (java.util.UUID maybe?) and then pass this key around.

BalusC
That's a no-go. The targets are not under my control and my not be known until deployment.
lajuette
Then it's indeed a no-go.
BalusC