Where is JSESSIONID stored?

Peleus picture Peleus · Sep 12, 2014 · Viewed 9.7k times · Source

I'm looking into how a particular web application works and I want to determine exactly what information is being stored in the JSESSIONID session tokens.

I understand PHPSESSSID tokens for example are stored [depending on the server] at locations like /tmp/, /var/lib/php/session or /var/lib/php5/session.

My question is - are JSESSIONID's stored in a similar manner? Is there particular configuration files to check to find the location of where they are being stored? Is there an alternative method of finding exactly what's in the session token without going through the entire code base? For example with PHP I can simply examine the session token file and see what major components are being stored (Perhaps username, authorized flag, etc).

Thank you.

Answer

celias picture celias · Sep 12, 2014

To Start off the JSESSIONID is stored in a cookie. If cookies are turned off, you have to get into url rewritting to store the jsessionid in the url. There is nothing else about the session in cookies. There is nothing stored in a session until one of the following happens:

  1. Authentication in the container
  2. request.getSession() or request.getSession(true) is called

Once that happens, you can store information in the session. When calling request.getSession(), it returns HttpSession. The HttpSession implements serializable. Once this object exists, when the request ends, this object is serialized. Every container gives different ways on how to store the HttpSession serialized object. By default most servers do this in memory. Most containers will give you multiply choices to pick on how the HttpSession objects can be serialized (memory,disk,database). Most containers will also give you a way to customized and create our own way to serialize the HttpSession.

The Servlet spec by default does not really give you a way to peek into sessions and get a list of session id's or the data associated with it. It is a huge security risk.

If you want to get that list of session id's and the information associated so you can look, will are going to have to write code. There are multiply ways to do this. Some examples are:

  1. Implement javax.servlet.http.HttpSessionListener and store the jsessionid to the database
  2. Implement javax.servlet.http.HttpSessionAttributeListener and store the key/value pair in the database with the session id

When implementing any of the above interfaces, you will not be able to retrieve the username from the authentication, unless you store the information in the session. You can add the two listeners to any web application without affecting the original war/ear files behaviour.

By default the app servers make it hard to get the information you are looking for, but with a little bit of coding, you can circumvent it.