Problem with JSESSIONID in JBoss 7.2.0 Final
phoeniix Apr 14, 2014 2:40 PMWe are about to launch our website under JBoss 7.2.0 after migrating from 5.1. We need to set the JSESSIONID to be HttpOnly. However when we also set the secure flag to true, all requests to the site have a new session generated. Here is a log4j output of all images getting new session id's for each page request.
2014-04-14 11:11:42 - INFO:F7hXB8okxG-1Dxiff5gxIjqs - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/PreBuilt/css/csa/main.css 2014-04-14 11:11:42 - INFO:fNYReOhPH+ylQEfckueB2i24 - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/bg-s50-content.gif 2014-04-14 11:11:42 - INFO:NmbuvLzZsear7dKI3j-Ac+bb - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/csa-header-color-short.jpg 2014-04-14 11:11:42 - INFO:fRboPANFUa2H7Od7y-HOTWwE - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/bkgd_sprite_horiz_repeaters.png 2014-04-14 11:11:42 - INFO:tuQ4Ta2d7F8Jh0tvSgYsQHO+ - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/search_bg.gif 2014-04-14 11:11:42 - INFO:9upqhSHwLSwunWFAp5s+1P2f - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/bg-footer.gif 2014-04-14 11:12:00 - INFO:ipvr4THtsf9LOvmii6pE-IUg - UrlRewrite.processCmsUrl:(48) | processCmsUrl: http://mxsfarm.csatravelprotection.com/Images/oh.gif
Here is our web.xml's session-config that is bundled with our app.
<session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config>
If I remove secure, then the site works fine, where all requests keep the same JSESSIONID.
Is there something I forgot to add in, or could this be a bug or feature? I'd like to be able to set the secure option for JSESSIONID alongside the HttpOnly option, if possible. Let me know if you even need more information.