1 Reply Latest reply on Oct 28, 2013 4:54 PM by Elio Khattar

    Can not set JSESSIONID Secure and HttpOnly with JBoss 4.2.3.GA

    Quang Nguyen Newbie

      Hi all,

       

      My system use JBoss 4.2.3.GA and Seam 2.2.1.

      This is my root context: localhost/gate

       

      As I google, there is a way to set the Secure and HttpOnly flag for the JSessionId

       

      #1

      if (response.containsHeader("SET-COOKIE")) {
           String path = request.getContextPath();
           String sessionid = request.getSession().getId();
           response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
                                                        + "; Path=" + path + "; secure; HttpOnly");
      }
      

      If I use as above, there will have two sessionid with the different path ("/" and "/gate") and value

      The "/gate" has httpOnly and secure flag, but not the "/"

       

      Then, I try a little different

      #2

      if (response.containsHeader("SET-COOKIE")) {
           String path = request.getContextPath();
           String sessionid = request.getSession().getId();
           response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
                                                        + "; Path=/; secure; HttpOnly");
      }
      

      Now, there is only 1 sessionid with path is "/" but no httpOnly and secure flag.

       

      I have two questions:

      1. With case #1, which variable to be used to identify the session?

      2. Why the #2 is not work? (secure and httpOnly)

      2. Can I remove/modify the "/" to "/gate"? I just 1 to use one sessionid with httpOnly and secure flag to adapt the requirement.

       

      Any help will be appreciated. Sorry for my English

       

      Thanks,

      Quang