Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Using one user's JSessionID any logged in user can access the respective user's session

Written By

Sivakumar Perumal

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • One user's session is accessed by knowing the respective user's JSessionID.
  • Steps for reference:

    1) 2 users (say: User A and User B)

    2) User "A" logs-in to the system

    3) Now, user "A" has one Jession ID(0D13262EDECBA19E93D5A753FC34E03A) and shares his JSessionID to user "B"

    4) Replace the Jsession ID of already logged in user "B" with A user's Jsession ID

    5) The A user's session is accessed in the browser.

    image.png

Environment

  • Liferay 7.x

Resolution

  • It is not a security issue, rather, one of the users deliberately shared his confidential information to others. Making use of which, the browser will definitely be able to access the respective user's session using JessionID. Incase, the browser is not aware of the A user's JsessionID, the user session will not be accessed.

Additional Information

  • Taking another example, if user A shares his internet banking details with user B and then he is able to login to internet banking, this can not be considered as A's internet banking has been hacked by user B, rather he just used the information's given by user A but he shouldn't, as it should be confidential.
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?