Situation: I have a "dumb" Javascript frontend that can contact some kind of SSO middleware (MW). The MW can obtain sessions by issuing requests that contain authentication credentials (username, password). I.e. the session will be created for a certain user.

My frontend needs to "restart" the session to gain the user's permissions to the target system. For that i need a valid session cookie.

The target system is not under my control (could be a more or less public WFS, WMS, etc.), so i cannot add any SSO mechanism to it.

Question: Is it possible to "steal" a Session forging a request which URL contains a valid session ID in the jsessionid parameter?

Goal : Issue such a request to a Servlet and make it respond with a Set-Cookie header that contains the same id. That way the frontend joins the session and may do whatever the user, which was used to create the session, is able to do.