0 Replies Latest reply on Apr 14, 2014 2:40 PM by phoeniix

    Problem with JSESSIONID in JBoss 7.2.0 Final

    phoeniix
    phoeniix Apr 14, 2014 2:40 PM

      We are about to launch our website under JBoss 7.2.0 after migrating from 5.1.  We need to set the JSESSIONID to be HttpOnly.  However when we also set the secure flag to true, all requests to the site have a new session generated.  Here is a log4j output of all images getting new session id's for each page request.

       

      2014-04-14 11:11:42 -  INFO:F7hXB8okxG-1Dxiff5gxIjqs - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/PreBuilt/css/csa/main.css
2014-04-14 11:11:42 -  INFO:fNYReOhPH+ylQEfckueB2i24 - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/bg-s50-content.gif
2014-04-14 11:11:42 -  INFO:NmbuvLzZsear7dKI3j-Ac+bb - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/csa-header-color-short.jpg
2014-04-14 11:11:42 -  INFO:fRboPANFUa2H7Od7y-HOTWwE - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/bkgd_sprite_horiz_repeaters.png
2014-04-14 11:11:42 -  INFO:tuQ4Ta2d7F8Jh0tvSgYsQHO+ - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/search_bg.gif
2014-04-14 11:11:42 -  INFO:9upqhSHwLSwunWFAp5s+1P2f - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/bg-footer.gif
2014-04-14 11:12:00 -  INFO:ipvr4THtsf9LOvmii6pE-IUg - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/oh.gif

       

      Here is our web.xml's session-config that is bundled with our app.

       

      



<session-config>



<session-timeout>30</session-timeout>



<cookie-config>



<http-only>true</http-only>



<secure>true</secure>



</cookie-config>



<tracking-mode>COOKIE</tracking-mode>



</session-config>

       

      If I remove secure, then the site works fine, where all requests keep the same JSESSIONID.

       

      Is there something I forgot to add in, or could this be a bug or feature?  I'd like to be able to set the secure option for JSESSIONID alongside the HttpOnly option, if possible.  Let me know if you even need more information.