• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Multiple Cookies with the name 'JSESSIONID' getting created

 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

In my application I want to make JSESSIONID cookie to httpOnly and want to specify path for it for security purpose as it is having '/' as a default path. So I added following code after session creation.



After this JSESSIOND cookie path getting set as I have mentioned.

But as request process further another JSESSIONID cookie is getting created with '/' as a default path.

How can I restrict it from getting created.

Any help would be Appreciated

Thanks & Regards,

Sunil Chavan
 
Sheriff
Posts: 7134
1360
IntelliJ IDE jQuery Eclipse IDE Postgres Database Tomcat Server Chrome Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should never interact with the JSESSIONID cookie which is used for session tracking.

  • Use a Servlet Filter.
  • In that filter, use request.getSession() method to create a session, only when the criteria is matched (path==/MyPath/MyApp/).
  • Use JSPs just as viewer components and use <%@ page session="false"> to disable creating sessions in JSPs.


  • This sounds not related to JSP. Moving to Servlets...
     
    Sunil Chavan
    Greenhorn
    Posts: 28
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Hi,
    Thanks for your reply.

    Use a Servlet Filter. In that filter, use request.getSession() method to create a session


    I have Filter implemented who checks for valid sessiond id of every request. But session creation part is in other class files where session gets created only after authentication.

    only when the criteria is matched (path==/MyPath/MyApp/).


    How can i check path criteria for session creation or while setting cookie?

    Regards
    Sunil Chavan.
     
    Sheriff
    Posts: 13411
    Firefox Browser VI Editor Redhat
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    You don't.
    The session id is handled by the container.

    If what it provides is insufficient for your purposes you would need to implement you're own session handling mechanism.
     
    Sunil Chavan
    Greenhorn
    Posts: 28
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    I am perfectly ok with how container is handling session. I just wanted to make JSESSIONID cookie as httpOnly and want to set it's path as it is suggested by Security Audit Group team.
    But I am still unable to do it.
    Any guidance related to it would be very helpful.

    Regards,
    Sunil Chavan
     
    With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    reply
      Bookmark Topic Watch Topic
    • New Topic