1 Reply Latest reply on Oct 28, 2013 4:54 PM by eliokhattar

Can not set JSESSIONID Secure and HttpOnly with JBoss 4.2.3.GA

npquang_uns Mar 28, 2013 6:46 AM

Hi all,

My system use JBoss 4.2.3.GA and Seam 2.2.1.

This is my root context: localhost/gate

As I google, there is a way to set the Secure and HttpOnly flag for the JSessionId

if (response.containsHeader("SET-COOKIE")) {
     String path = request.getContextPath();
     String sessionid = request.getSession().getId();
     response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
                                                  + "; Path=" + path + "; secure; HttpOnly");
}

If I use as above, there will have two sessionid with the different path ("/" and "/gate") and value

The "/gate" has httpOnly and secure flag, but not the "/"

Then, I try a little different

if (response.containsHeader("SET-COOKIE")) {
     String path = request.getContextPath();
     String sessionid = request.getSession().getId();
     response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
                                                  + "; Path=/; secure; HttpOnly");
}

Now, there is only 1 sessionid with path is "/" but no httpOnly and secure flag.

I have two questions:

1. With case #1, which variable to be used to identify the session?

2. Why the #2 is not work? (secure and httpOnly)

2. Can I remove/modify the "/" to "/gate"? I just 1 to use one sessionid with httpOnly and secure flag to adapt the requirement.

Any help will be appreciated. Sorry for my English

Thanks,

Quang

1. Re: Can not set JSESSIONID Secure and HttpOnly with JBoss 4.2.3.GA

eliokhattar Oct 28, 2013 4:54 PM (in response to npquang_uns)

Hello
Did you manage to fix this??
thanks
Actions