Returns the session ID specified by the client. This may not be the same as the ID of the current valid session for this request. If the client did not specify a session ID, this method returns null.
The session ID it returns is either transmitted through a cookie or a URL parameter. This allows an end user to manually update the value of this session ID in an HTTP request.
Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (e.g. Tomcat or Jetty) to see if the value matches the ID of an existing session.
If it does not, the user should be considered unauthenticated.
If an attacker succeeds in fixing a user's session to a session identifier that they know, then they can impersonate this victim and gain access to their account without providing valid credentials. This can result in unauthorized actions, such as modifying personal information, making unauthorized transactions, or even performing malicious activities on behalf of the victim. An attacker can also manipulate the victim into performing actions they wouldn't normally do, such as revealing sensitive information or conducting financial transactions on the attacker's behalf.
In both examples, a session ID is used to check whether a user's session is still active. In the noncompliant example, the session ID supplied by the user is used. In the compliant example, the session ID defined by the server is used instead.
if (isActiveSession(request.getSession().getId())) {
// ...
}
----
=== How does this work?
The noncompliant example uses `HttpServletRequest.getRequestedSessionId()` to retrieve a session ID. This ID is then used to verify if the given session is still active. As this value is given by a user, this value is not guaranteed to be a valid ID.
The compliant example instead uses the server's session ID to verify if the session is active. Additionally, `getSession()` will create a new session if the user's request does not contain a valid ID.
* Jakarta EE Documentation - https://jakarta.ee/specifications/platform/10/apidocs/jakarta/servlet/http/httpservletrequest#getRequestedSessionId--[`HttpServletRequest` - `getRequestedSessionId`]