I am developing a Java middleware that acts like a session manager and “router” of sorts for other services. Below if my flow:
HTML post with Username/password-> java springframework using RequestEntity – > java class communicate with LDAP to verify user -> HttpSession is created and a custom implementation of listener interface adds HttpSession with attribute username as session id -> ResponseEntity is set with sessionID.
After verification, all user’s requests with SessionID will be verified by my HttpSessionManager. If user is verified then i can provide further services.
Is this a valid design? will the session id be hijacked? I could have a timer set to invalidate SessionID after certain time?