Questions:
I am developing a Java middleware that acts like a session manager and “router” of sorts for other services. Below if my flow:
-
HTML post with Username/password-> java springframework using RequestEntity – > java class communicate with LDAP to verify user -> HttpSession is created and a custom implementation of listener interface adds HttpSession with attribute username as session id -> ResponseEntity is set with sessionID.
-
After verification, all user’s requests with SessionID will be verified by my HttpSessionManager. If user is verified then i can provide further services.
Is this a valid design? will the session id be hijacked? I could have a timer set to invalidate SessionID after certain time?
Thanks!
How to&Answers: