This week's book giveaway is in the General Computing forum.
We're giving away four copies of Arduino in Action and have Martin Evans, Joshua Noble, and Jordan Hochenbaum on-line!
See this thread for details.
The moose likes Servlets and the fly likes Multiple Cookies with the name 'JSESSIONID' getting created Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of Arduino in Action this week in the General Computing forum!

A special promo: Enter your blog post or vote on a blogger to be featured in an upcoming Journal
JavaRanch » Java Forums » Java » Servlets
Reply Bookmark "Multiple Cookies with the name Watch "Multiple Cookies with the name New topic
Author

Multiple Cookies with the name 'JSESSIONID' getting created

Sunil Chavan
Greenhorn

Joined: Apr 11, 2007
Posts: 28
posted private message
0
Quote
Hi,

In my application I want to make JSESSIONID cookie to httpOnly and want to specify path for it for security purpose as it is having '/' as a default path. So I added following code after session creation.



After this JSESSIOND cookie path getting set as I have mentioned.

But as request process further another JSESSIONID cookie is getting created with '/' as a default path.

How can I restrict it from getting created.

Any help would be Appreciated

Thanks & Regards,

Sunil Chavan
Devaka Cooray
Saloon Keeper

Joined: Jul 29, 2008
Posts: 2729
    
    3

I like...
Chrome Eclipse IDE IntelliJ IDE
posted private message
0
Quote
You should never interact with the JSESSIONID cookie which is used for session tracking.

  • Use a Servlet Filter.
  • In that filter, use request.getSession() method to create a session, only when the criteria is matched (path==/MyPath/MyApp/).
  • Use JSPs just as viewer components and use <%@ page session="false"> to disable creating sessions in JSPs.


    • This sounds not related to JSP. Moving to Servlets...

    Author of ExamLab (Download) - the free mock exam kit for SCJP / OCPJP
    HELP me! -- Home Page -- Twitter Profile -- JavaRanch FAQ -- How to Ask a Question
    Sunil Chavan
    Greenhorn

    Joined: Apr 11, 2007
    Posts: 28
    posted private message
    0
    Quote
    Hi,
    Thanks for your reply.
    Use a Servlet Filter. In that filter, use request.getSession() method to create a session

    I have Filter implemented who checks for valid sessiond id of every request. But session creation part is in other class files where session gets created only after authentication.
    only when the criteria is matched (path==/MyPath/MyApp/).

    How can i check path criteria for session creation or while setting cookie?

    Regards
    Sunil Chavan.
    Ben Souther
    Sheriff

    Joined: Dec 11, 2004
    Posts: 13410

    I like...
    Firefox Browser Redhat VI Editor
    posted private message
    0
    Quote
    You don't.
    The session id is handled by the container.

    If what it provides is insufficient for your purposes you would need to implement you're own session handling mechanism.
    Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
    Sunil Chavan
    Greenhorn

    Joined: Apr 11, 2007
    Posts: 28
    posted private message
    0
    Quote
    I am perfectly ok with how container is handling session. I just wanted to make JSESSIONID cookie as httpOnly and want to set it's path as it is suggested by Security Audit Group team.
    But I am still unable to do it.
    Any guidance related to it would be very helpful.

    Regards,
    Sunil Chavan
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Multiple Cookies with the name 'JSESSIONID' getting created
     
    Similar Threads
    cookie value set problem
    Struts2 cookies
    Problem in using HTTPOnly attribute
    Need to set HTTPONLY value to make cookies secure!!!
    Confusion about session destruction