fc.web.servlet
Class SessionUtil

java.lang.Object
  extended by fc.web.servlet.SessionUtil

public final class SessionUtil
extends Object

Misc utility methods for sessions and cookies.


Constructor Summary
SessionUtil()
           
 
Method Summary
static void deleteTestCookie(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res)
          Removes the test cookies if previously set.
static boolean hasTestCookie(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res)
          Returns true if the browser accepts cookies.
static String newSessionID()
          Returns a new session identifier.
static void setTestCookie(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res)
          Sets a test cookies.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SessionUtil

public SessionUtil()
Method Detail

setTestCookie

public static void setTestCookie(javax.servlet.http.HttpServletRequest req,
                                 javax.servlet.http.HttpServletResponse res)
Sets a test cookies. The user should be redirected to this or some other page after calling this method and the presence of this cookie can be checked via hasTestCookie from that page. The lifetime of the test cookie is set to the browsers lifetime (will be lost when the browser exits).


hasTestCookie

public static boolean hasTestCookie(javax.servlet.http.HttpServletRequest req,
                                    javax.servlet.http.HttpServletResponse res)
Returns true if the browser accepts cookies. The setTestCookie() method must have been invoked by some page prior to calling this method AND the user must have been either redirected to that or some other page AND this method must be invoked from that redirected page.

Note: Test cookies are entirely self contained. They are meant to figure out if a browser accepts cookies. Their presence or absence does not mean that other cookies will not be sent by the browser. These other cookies may point to a expired session in memory or database and a seperate check for that should be made.


deleteTestCookie

public static void deleteTestCookie(javax.servlet.http.HttpServletRequest req,
                                    javax.servlet.http.HttpServletResponse res)
Removes the test cookies if previously set. Normally, the test cookie set by the setTestCookie(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) method is automatically removed when the browser exists, but this method allows removing it before such time.


newSessionID

public static String newSessionID()
Returns a new session identifier.
See: cookies.lcs.mit.edu
See: www.across.si

There are 2 issues with generating sessionid's. 

1) uniqueness - 2 or more sessionid's should not end up being 
   the same.
2) hard-to-guess - For example, sequential values like 
   1, 2, 3 are unique but easy to guess and therefore easy
   to session hijack.

Our sessionid's have 2 parts:
a) a timestamp for guaranteed uniqueness  (easy to guess)
b) random data (hard to guess)