html – Will this design work for Java Session Manager

Questions:

I am developing a Java middleware that acts like a session manager and “router” of sorts for other services. Below if my flow:

  1. HTML post with Username/password-> java springframework using RequestEntity – > java class communicate with LDAP to verify user -> HttpSession is created and a custom implementation of listener interface adds HttpSession with attribute username as session id -> ResponseEntity is set with sessionID.

  2. After verification, all user’s requests with SessionID will be verified by my HttpSessionManager. If user is verified then i can provide further services.

Is this a valid design? will the session id be hijacked? I could have a timer set to invalidate SessionID after certain time?
Thanks!

How to&Answers:

Leave a Reply

Your email address will not be published. Required fields are marked *