5 Replies Latest reply on Dec 9, 2004 12:53 PM by Scott Stark

    How to stop using session cookies - jboss-web.xml isn't work

    Patrick Jaromin Newbie

      I'm using jboss-3.2.5 and have a web application that must be deployed without setting session cookies.

      I looks like the "standard" way to do this is to add:

      <use-session-cookies>false</use-session-cookies> to a jboss-web.xml file in the war directory (we're using extracted war files). However, this doesn't work.

      The only way I've managed to stop session cookies from being set is to modify the server.xml file "DefaultContext" element - which makes the change global to all webapps. This, unfortunately, breaks the other apps running in this JBoss instance.

      We've been planning to deploy on Wednesday - actually, it's a very hard deadline - and now I'm desparate for a solution.

      Is there something I'm missing? Anything else worth a try? Please help.

      - Patrick

        • 1. Re: How to stop using session cookies - jboss-web.xml isn't
          Joan Horta  Tosas Novice

          Not really sure, but try setting the "override" attribute of DefaultContext element on server.xml file of Tomcat to false. I think that is set to true by default, which overrides your application configuration setting the cookies on.

          • 2. Re: How to stop using session cookies - jboss-web.xml isn't
            Patrick Jaromin Newbie

            Thanks for the reply....unfortunately it doesn't appear to work. I changed the override attribute of the DefaultContext element in the server.xml file to "false"....but still got cookies.

            I also tried putting a "context.xml" file in the META-INF (and WEB-INF - shooting in the dark here) with based on the tomcat 5.0 docs (http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/defaultcontext.html)

            Ultimately, the *only* thing that I have tried that prevents JBoss/Tomcat from setting a cookie is changing the "DefaultContext" element in jbossweb server.xml file (cookies="false")...although as previously stated, this is unacceptable since the other apps in the same server instance will now fail. I've even tried this in reverse - disabling in server.xml and adding a jboss-web.xml file to *use* cookies, but that didn't work either.

            Is there an easy way to verify if JBoss is even picking up on the jboss-web.xml file??

            Any other thoughts? Does anyone have this working or is this a bug in JBoss 3.2.5?


            • 3. Re: How to stop using session cookies - jboss-web.xml isn't
              Scott Stark Master

              You need to upgrade to 3.2.6 where you can use a war/WEB-INF/context.xml to control the war properties, for example a jmx-console.war/WEB-INF/context.xml:

              <Context path="/jmx-console" cookies="false" override="true" />

              • 4. Re: How to stop using session cookies - jboss-web.xml isn't
                Patrick Jaromin Newbie

                Thanks, as always for the information, Scott.

                I'm hopeful, however that there's a way to to patch the server rather than do a complete upgrade. We are running a dozen instances of JBoss and I have taken considerable time to create a customized maven goal to generate new servers. In fact, I've already gone through the process of creating the server generation code and *thorougly* testing applications in my environment 3 times - with versions 3.2.3, 3.2.4 and 3.2.5 since there were significant and different "show stopper" bugs in each version prior to 3.2.5. I am therefore rather reluctant to start up the upgrade treadmill all over again.

                Please don't take this too harshly as I have a great deal of respect for the people who dedicate their time to this opensource software (we do contribute to various FOSS projects), and do understand the difficulties of managing a project of this size and complexity.

                Is it possible that I could upgrade merely the jbossweb module and have any expectation of it working? Or, are patch upgrades to fix these types of problems something that is provided (or only provided) with paid support?

                • 5. Re: How to stop using session cookies - jboss-web.xml isn't
                  Scott Stark Master

                  You can always start with the expecation of it working. The reality will depend on the changes that exist in the newer version. You can always get the code and look at how the feature was added and patch the version yourself.

                  Custom patches for arbitrary versions are only done under support contracts.