0 Replies Latest reply on Apr 14, 2014 2:40 PM by Marc Schroeder

    Problem with JSESSIONID in JBoss 7.2.0 Final

    Marc Schroeder Newbie

      We are about to launch our website under JBoss 7.2.0 after migrating from 5.1.  We need to set the JSESSIONID to be HttpOnly.  However when we also set the secure flag to true, all requests to the site have a new session generated.  Here is a log4j output of all images getting new session id's for each page request.

       

      2014-04-14 11:11:42 -  INFO:F7hXB8okxG-1Dxiff5gxIjqs - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/PreBuilt/css/csa/main.css
      2014-04-14 11:11:42 -  INFO:fNYReOhPH+ylQEfckueB2i24 - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/bg-s50-content.gif
      2014-04-14 11:11:42 -  INFO:NmbuvLzZsear7dKI3j-Ac+bb - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/csa-header-color-short.jpg
      2014-04-14 11:11:42 -  INFO:fRboPANFUa2H7Od7y-HOTWwE - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/bkgd_sprite_horiz_repeaters.png
      2014-04-14 11:11:42 -  INFO:tuQ4Ta2d7F8Jh0tvSgYsQHO+ - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/search_bg.gif
      2014-04-14 11:11:42 -  INFO:9upqhSHwLSwunWFAp5s+1P2f - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/bg-footer.gif
      2014-04-14 11:12:00 -  INFO:ipvr4THtsf9LOvmii6pE-IUg - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/oh.gif
      
      
      
      

       

      Here is our web.xml's session-config that is bundled with our app.

       

      
      
      
      
      <session-config>
      
      
      
      <session-timeout>30</session-timeout>
      
      
      
      <cookie-config>
      
      
      
      <http-only>true</http-only>
      
      
      
      <secure>true</secure>
      
      
      
      </cookie-config>
      
      
      
      <tracking-mode>COOKIE</tracking-mode>
      
      
      
      </session-config>
      
      
      
      
      
      
      

       

      If I remove secure, then the site works fine, where all requests keep the same JSESSIONID.

       

      Is there something I forgot to add in, or could this be a bug or feature?  I'd like to be able to set the secure option for JSESSIONID alongside the HttpOnly option, if possible.  Let me know if you even need more information.