Name
HttpSessionContext
Synopsis
Interface Name:
javax.servlet.http.HttpSessionContext
Superinterface: None
Immediate Subinterfaces: None
Implemented By: None
Availability: Servlet API 2.0 and later; deprecated in Servlet API 2.1
Description
HttpSessionContext is deprecated as of Servlet API
2.1. Previously this class provided access to all of the currently
active sessions inside the servlet container. This provided a
potential security hole where a servlet could use this class to
display all the session IDs found inside the context, and that
information could then be used by unscrupulous clients to forge their
way into another’s session. Because the ability to access all
sessions at once is almost never needed, this class was deprecated
for security’s sake.
Interface Declaration
public interface HttpSessionContext {
// Methods
public abstract Enumeration getIds(); // Deprecated
public abstract HttpSession getSession(String sessionId); // Deprecated
}Methods
getIds()
public abstract Enumeration getIds()
- Description
Deprecated as of Servlet API 2.1. In Servlet API 2.0, returns an
Enumerationthat contained the session IDs for all the currently valid sessions in this context, or an emptyEnumerationif there are no valid sessions. The session IDs returned bygetIds( )must be held as a server secret because any client with knowledge of another client’s session ID can, with a forged cookie or URL, join the second client’s session.
getSession()
public abstract HttpSession getSession(String sessionId) ...