• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Session attribute reset to null after using Secure cookie attribute

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Due to security reasons, I had to make all cookies secure and http-only. Hence added following snippet in web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee">
<session-config>
    <cookie-config>
        <http-only>false</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>
</web-app>



I set session attribute but it reset every time when request reaches to the server. Unable to find the reason for such case and how I can resolve it.

Thanks in advance,
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
HOW do you make a cookie secure when it's HTTP-only??? That sounds like an innate contradiction.

HTTP is inherently insecure because it is unencrypted and easily read by any man-in-the-middle. That's the whole purpose for HTTPS.

Cookies are not magic. They're sent as lines of header text in the HTTP requests and responses. So anyone can intercept and abuse a cookie any time they want.

I don't know what security manager you're using and PLEASE don't tell me it's something some "genius" has cooked up, because unless that genius is a full-time security professional, my experience is that DIY security systems can be broken by non-technical persons in under 15 minutes about 90% of the time.

If you're using the security system that's built into the JEE standard and thus into all JEE webapp servers (including Tomcat and jetty), then proper app security requires that when you log in, your transport should be HTTPS and the login session key is transmitted in the jsessionid cookie. To avoid exploits, the value of this cookie is changed to an unpredictable new value as part of the login process (which is why you should NEVER cache jsessionid). The value of jsessionid contains no session information itself, only acting as a hash key to the webapp server's Map of jsessionid/HttpSession.

Aside from that, though, many modern-day webapp clients will scream in rage if you attempt to request via HTTP instead of HTTPS and in most cases, the HTTP URL will be rewritten as HTTPS. HTTP is simply not adequate for the open Internet these days.
 
Sheriff
Posts: 22781
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you verify that you're using https to access your server? Because that <secure>true</secure> part means that the cookie doesn't work for http.

If your server is behind a proxy (apache, nginx, whatever) and that proxy communicates to your server over http (not https), you'll never get the cookie to work. Either use https between the proxy and the server, or something like AJP that keeps the https flag intact.
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK. I had to do some digging. I read "HTTP-only" as meaning NOT https and that's not what it means. It means that the cookie is used in the http(s) traffice, but not accessible to client-side JavaScript, which is an aid to avoiding cross-site scripting attacks.

An HTTP jsessionid cookie is created and maintained by the JEE server. In the event that the JEE server is fronted by a reverse proxy like Apache, IIS or nginx, the jsessionid is handled in the normal way, but the HTTPS protocol is handled by the proxy. So the normal session rules apply in either case, proxy or no proxy.

An HTTPSession (jsession) is created when A) a webapp explicitly calls for a session to exist when it didn't before (getSession(true)) or B) when a user logs in using JEE standard security (the session contains user identity and security objects). The session should then continue to exist until one of the following happens: A) the user explicitly destroys the session (which will log out a logged-in user) or B) no incoming HTTP/HTTPS requests with that session ID have been made within the defined session timeout interval (defaults to 30 minutes, I believe, set it web.xml).

That second item is critical. Web apps can appear to be very busy and still time out. If you have a web page full of active scripts and/or multi-media, but you do not make a server request either via a traditional URL or AJAX, the session will timeout. Only another request to the server will reset the session countdown.

If a session times out, you will not be notified. HTTP does not have the ability to send any sort of message to a client except as part of a response to a request from the client. So you could time out 4 hours ago, but until you won't be notified of it until you send another request. One way to avoid that is to have a timed script in your client that sends an AJAX "keep-alive" ping request periodically.
 
Whatever. Here's a tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic