2 Replies Latest reply on Jun 22, 2012 3:48 AM by nimo22

jboss 7 rename jsessionid for security issues

nimo22 Jun 19, 2012 7:47 AM

I want to hide information about the using technology at the webclient for security issues.

So I want to rename JSESSIONID to anything else.

Can I rename the "JSESSIONID" within web.xml ?

For example:

<context-param>

<param-name>javax.faces.JSESSIONID</param-name>

<param-value>myjsessionid</param-value>

</context-param>

If not, can I rename it in standalone.xml ?

If not, how can I rename it either?

1. Re: jboss 7 rename jsessionid for security issues

nimo22 Jun 19, 2012 8:03 AM (in response to nimo22)

If I add this to my server-params:

-Dorg.apache.catalina.JSESSIONID=MYJID

and inspect any request-cookie, then I can see both MYJID and JSESSIONID is set.

I have thought, JSESSIONID is replaced by MYJID. But JSESSIONID still exists within the cookie besides MYJID.

Is it possible to replace ALL JSESSIONID-Names with MYJID?
Actions
2. Re: jboss 7 rename jsessionid for security issues

nimo22 Jun 22, 2012 3:48 AM (in response to nimo22)

Okay, it works. I had forgotten to delete the old cookies (jsessionid) from the browser. The container does use MYJID instead of JSESSIONID.
Actions