Where is JSESSIONID stored?

Question

I'm looking into how a particular web application works and I want to determine exactly what information is being stored in the JSESSIONID session tokens.

I understand PHPSESSSID tokens for example are stored [depending on the server] at locations like /tmp/, /var/lib/php/session or /var/lib/php5/session.

My question is - are JSESSIONID's stored in a similar manner? Is there particular configuration files to check to find the location of where they are being stored? Is there an alternative method of finding exactly what's in the session token without going through the entire code base? For example with PHP I can simply examine the session token file and see what major components are being stored (Perhaps username, authorized flag, etc).

Thank you.

Answer 1

To Start off the JSESSIONID is stored in a cookie. If cookies are turned off, you have to get into url rewritting to store the jsessionid in the url. There is nothing else about the session in cookies. There is nothing stored in a session until one of the following happens:

1. Authentication in the container
2. request.getSession() or request.getSession(true) is called

Once that happens, you can store information in the session. When calling request.getSession(), it returns HttpSession. The HttpSession implements serializable. Once this object exists, when the request ends, this object is serialized. Every container gives different ways on how to store the HttpSession serialized object. By default most servers do this in memory. Most containers will give you multiply choices to pick on how the HttpSession objects can be serialized (memory,disk,database). Most containers will also give you a way to customized and create our own way to serialize the HttpSession.

The Servlet spec by default does not really give you a way to peek into sessions and get a list of session id's or the data associated with it. It is a huge security risk.

If you want to get that list of session id's and the information associated so you can look, will are going to have to write code. There are multiply ways to do this. Some examples are:

1. Implement javax.servlet.http.HttpSessionListener and store the jsessionid to the database
2. Implement javax.servlet.http.HttpSessionAttributeListener and store the key/value pair in the database with the session id

When implementing any of the above interfaces, you will not be able to retrieve the username from the authentication, unless you store the information in the session. You can add the two listeners to any web application without affecting the original war/ear files behaviour.

By default the app servers make it hard to get the information you are looking for, but with a little bit of coding, you can circumvent it.

Answer 2

Tomcat does store your session data on hd only on shutdown and only if the sessiondata is serializable and you only if you have configured sessions to survive restarts. So no temp/var folder to look at for almost every tomcat in the world.

Answer 3

Every single application server will define it's own way of storing this data (and you're usually allowed to change it to something else) but you usually won't have direct access to it.

If you want to see the values being set at the sessions you can use HttpSessionAttributeListener objects to receive events when the code sets some value to the session or removes it.

Answer 4

Every application have their on session and sessionId on application server. management of session in java is depends that how to manage it. Generally session stored in cookies. HttpSessionAttributeListener you can use object of that class to receive events.

we can develop a bean with name session or any your want and implements the HttpSession interface to get pattern methods.

that bean will contains all the information which you want to store in session.