0 Replies Latest reply on Jun 22, 2012 7:10 AM by nimo stephan

    JSESSIONID pitfalls

    nimo stephan Master

      I want to rename JSESSIONID within jboss as 7 container and has two possible ways:

      1. Way:

      -Dorg.apache.catalina.SESSION_COOKIE_NAME=MYID
      -Dorg.apache.catalina.SESSION_PARAMETER_NAME=myid

      2. Way:

      -Dorg.apache.catalina.JSESSIONID=SID

      I have the following questions:

      1. Where lies the difference between Way 1 and Way 2 ?
      2. In "Way 2", I only rename the SESSION_COOKIE_NAME and not the SESSION_PARAMETER_NAME, am I right? To rename the SESSION_PARAMETER_NAME, I also can use -Dorg.apache.catalina.jsessionid=SID, am I right?
      3. Are there any disadvandtages to rename the default JSESSIONID/jsessionid to something else? The Tomcat Specifications says (http://tomcat.apache.org/tomcat-6.0-doc/config/systemprops.html):"Note that the Servlet specification requires this to be jsessionid/JSESSIONID. You should not rely on being able to change this."What does this mean? Are there any disadvandtage to rename it? For example, broken authentication, security lacks or the like?