You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Lutz Hühnken <lh...@googlemail.com> on 2009/01/02 12:34:19 UTC
Re: JSESSIONID cookie, secure is set, how to not set
I don't know how to do it within Tapestry, but generally you can use a
filter to make sure that jsessionid is never set as a secure cookie. I
dug up some old code that does that, I think it works:
public class TomcatUnifiedSessionFilter implements Filter {
public void destroy() {
// nothing to do here
}
public void doFilter(final ServletRequest request, final
ServletResponse response, final FilterChain chain)
throws IOException, ServletException {
/*
* Tomcat tracks the session using the JSESSIONID. When the session is
* created as a consequence of a request of a secure page, however, the
* "secure" attribute of the cookie is set to true. That prevents the
* session to be consecutively tracked on non-secure pages. We would
* like a unified approach, though.
*/
final HttpServletRequest httpRequest = (HttpServletRequest) request;
final HttpServletResponse httpResponse = (HttpServletResponse) response;
// TODO: some more explanation
final HttpSession session = httpRequest.getSession(false);
if (session != null) {
final Cookie sessionCookie = new Cookie("JSESSIONID",
session.getId());
sessionCookie.setMaxAge(-1);
sessionCookie.setSecure(false);
sessionCookie.setPath(httpRequest.getContextPath());
httpResponse.addCookie(sessionCookie);
}
chain.doFilter(request, response);
}
public void init(final FilterConfig config) throws ServletException {
// nothing to do here
}
On Wed, Dec 17, 2008 at 8:51 PM, Keith Bottner <kb...@gmail.com> wrote:
> Martijn,
>
> I get the rationale which is why I have other cookies that are marked as
> secure; however, the JSESSIONID cookie has a special use by the JSP server
> and is used for associating a user with a session so it should always be
> passed unsecured just to keep the user associated with the proper clustered
> server and with the proper backend mapping. The more secure cookies can be
> used for other uses.
>
> Keith
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org