This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Servlets and the fly likes Multiple Cookies with the name 'JSESSIONID' getting created Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Multiple Cookies with the name Watch "Multiple Cookies with the name New topic
Author

Multiple Cookies with the name 'JSESSIONID' getting created

Sunil Chavan
Greenhorn

Joined: Apr 11, 2007
Posts: 28
Hi,

In my application I want to make JSESSIONID cookie to httpOnly and want to specify path for it for security purpose as it is having '/' as a default path. So I added following code after session creation.



After this JSESSIOND cookie path getting set as I have mentioned.

But as request process further another JSESSIONID cookie is getting created with '/' as a default path.

How can I restrict it from getting created.

Any help would be Appreciated

Thanks & Regards,

Sunil Chavan
Devaka Cooray
ExamLab Creator
Saloon Keeper

Joined: Jul 29, 2008
Posts: 3060
    
  38

You should never interact with the JSESSIONID cookie which is used for session tracking.

  • Use a Servlet Filter.
  • In that filter, use request.getSession() method to create a session, only when the criteria is matched (path==/MyPath/MyApp/).
  • Use JSPs just as viewer components and use <%@ page session="false"> to disable creating sessions in JSPs.


  • This sounds not related to JSP. Moving to Servlets...


    Author of ExamLab ExamLab - a free SCJP / OCPJP exam simulator
    What would SCJP exam questions look like? -- Home -- Twitter -- How to Ask a Question
    Sunil Chavan
    Greenhorn

    Joined: Apr 11, 2007
    Posts: 28
    Hi,
    Thanks for your reply.
    Use a Servlet Filter. In that filter, use request.getSession() method to create a session

    I have Filter implemented who checks for valid sessiond id of every request. But session creation part is in other class files where session gets created only after authentication.
    only when the criteria is matched (path==/MyPath/MyApp/).

    How can i check path criteria for session creation or while setting cookie?

    Regards
    Sunil Chavan.
    Ben Souther
    Sheriff

    Joined: Dec 11, 2004
    Posts: 13410

    You don't.
    The session id is handled by the container.

    If what it provides is insufficient for your purposes you would need to implement you're own session handling mechanism.

    Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
    Sunil Chavan
    Greenhorn

    Joined: Apr 11, 2007
    Posts: 28
    I am perfectly ok with how container is handling session. I just wanted to make JSESSIONID cookie as httpOnly and want to set it's path as it is suggested by Security Audit Group team.
    But I am still unable to do it.
    Any guidance related to it would be very helpful.

    Regards,
    Sunil Chavan
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Multiple Cookies with the name 'JSESSIONID' getting created