You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Lutz Hühnken <lh...@googlemail.com> on 2009/01/02 12:34:19 UTC

Re: JSESSIONID cookie, secure is set, how to not set

I don't know how to do it within Tapestry, but generally you can use a
filter to make sure that jsessionid is never set as a secure cookie. I
dug up some old code that does that, I think it works:


public class TomcatUnifiedSessionFilter implements Filter {

    public void destroy() {
        // nothing to do here
    }

    public void doFilter(final ServletRequest request, final
ServletResponse response, final FilterChain chain)
            throws IOException, ServletException {
        /*
         * Tomcat tracks the session using the JSESSIONID. When the session is
         * created as a consequence of a request of a secure page, however, the
         * "secure" attribute of the cookie is set to true. That prevents the
         * session to be consecutively tracked on non-secure pages. We would
         * like a unified approach, though.
         */

        final HttpServletRequest httpRequest = (HttpServletRequest) request;
        final HttpServletResponse httpResponse = (HttpServletResponse) response;
        // TODO: some more explanation
        final HttpSession session = httpRequest.getSession(false);
        if (session != null) {
            final Cookie sessionCookie = new Cookie("JSESSIONID",
session.getId());
            sessionCookie.setMaxAge(-1);
            sessionCookie.setSecure(false);
            sessionCookie.setPath(httpRequest.getContextPath());
            httpResponse.addCookie(sessionCookie);
        }

        chain.doFilter(request, response);
    }

    public void init(final FilterConfig config) throws ServletException {
        // nothing to do here
    }


On Wed, Dec 17, 2008 at 8:51 PM, Keith Bottner <kb...@gmail.com> wrote:
> Martijn,
>
> I get the rationale which is why I have other cookies that are marked as
> secure; however, the JSESSIONID cookie has a special use by the JSP server
> and is used for associating a user with a session so it should always be
> passed unsecured just to keep the user associated with the proper clustered
> server and with the proper backend mapping. The more secure cookies can be
> used for other uses.
>
> Keith
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org