Get your CodeRanch badge!*
The moose likes Servlets and the fly likes Multiple Cookies with the name 'JSESSIONID' getting created Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Multiple Cookies with the name Watch "Multiple Cookies with the name New topic
Author

Multiple Cookies with the name 'JSESSIONID' getting created

Sunil Chavan
Greenhorn

Joined: Apr 11, 2007
Posts: 28
Hi,

In my application I want to make JSESSIONID cookie to httpOnly and want to specify path for it for security purpose as it is having '/' as a default path. So I added following code after session creation.



After this JSESSIOND cookie path getting set as I have mentioned.

But as request process further another JSESSIONID cookie is getting created with '/' as a default path.

How can I restrict it from getting created.

Any help would be Appreciated

Thanks & Regards,

Sunil Chavan
Devaka Cooray
ExamLab Creator
Saloon Keeper

Joined: Jul 29, 2008
Posts: 2886
    
  13

You should never interact with the JSESSIONID cookie which is used for session tracking.

  • Use a Servlet Filter.
  • In that filter, use request.getSession() method to create a session, only when the criteria is matched (path==/MyPath/MyApp/).
  • Use JSPs just as viewer components and use <%@ page session="false"> to disable creating sessions in JSPs.


  • This sounds not related to JSP. Moving to Servlets...


    Author of ExamLab ExamLab - a free SCJP / OCPJP exam simulator
    My Home Page -- Twitter Profile -- JavaRanch FAQ -- How to Ask a Question
    Sunil Chavan
    Greenhorn

    Joined: Apr 11, 2007
    Posts: 28
    Hi,
    Thanks for your reply.
    Use a Servlet Filter. In that filter, use request.getSession() method to create a session

    I have Filter implemented who checks for valid sessiond id of every request. But session creation part is in other class files where session gets created only after authentication.
    only when the criteria is matched (path==/MyPath/MyApp/).

    How can i check path criteria for session creation or while setting cookie?

    Regards
    Sunil Chavan.
    Ben Souther
    Sheriff

    Joined: Dec 11, 2004
    Posts: 13410

    You don't.
    The session id is handled by the container.

    If what it provides is insufficient for your purposes you would need to implement you're own session handling mechanism.

    Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
    Sunil Chavan
    Greenhorn

    Joined: Apr 11, 2007
    Posts: 28
    I am perfectly ok with how container is handling session. I just wanted to make JSESSIONID cookie as httpOnly and want to set it's path as it is suggested by Security Audit Group team.
    But I am still unable to do it.
    Any guidance related to it would be very helpful.

    Regards,
    Sunil Chavan
     
    wood burning stoves
     
    subject: Multiple Cookies with the name 'JSESSIONID' getting created
     
    Similar Threads
    cookie value set problem
    Confusion about session destruction
    Need to set HTTPONLY value to make cookies secure!!!
    Struts2 cookies
    Problem in using HTTPOnly attribute