Servlet - check if user is logged in

Hi folks, I am new here and also new to Vaadin.

I am testing the authentication based on ThreadLocals as described at the
Vaadin wiki page

Now my question is how to make the standard Servlets secure? Let’s say I have a basic HttpServlet which handles file uploads (outside of the Vaadin web applicaiton, for example bacause I am using App Engine). This servlet needs to check if the user is logged in the Vaadin application
What I would like to, is to get the current instance of my Vaadin Application and return the user that is logged in. Inside Vaadin Windows I can do this like MyApplication.getInstance().getMyUser(). Calling Myapplication.getInstance() returns null inside the servlet.


A workaround which seems to work, is to store the ID of the user inside the HttpSession in my Vaadin Application

WebApplicationContext ctx = ((WebApplicationContext) getContext());
HttpSession session = ctx.getHttpSession();
session.setAttribute("loggedUserId", user.getId());

And inside my Servlet I can get this value from the session, load the user from database and check if he has the rights.
Is this approach secure? Can someone change or fake the contents of the session?

Is there a way how to do this? Thank you.

We also use this approach to “authenticate” users accross normal jsp pages, vaadin app and some other servlets.

It is secure in the way that all requests with the “correct” session id will have the same login information.
The value of the “loggedUserId” can’t be manipulated from client side, so it’s safe.
The “only” potential treat is the session fixation issue which should be looked at.

When another webbrowser sends the same sessionidentifier as a logged in user session, then that webbrowser
is also authenticated (and using the same session state)

In your webbrowser you can see a cookie named JSESSIONID=…
This is the link between your session and the client.
When another webbrowser uses the same JSESSIONID=… then it will also be logged in.

In vaadin there is another layer protecting you from such attacks, but in your own servlets
there is no such protection.