Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Multiple Cookies with the name 'JSESSIONID' getting created

 
Sunil Chavan
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

In my application I want to make JSESSIONID cookie to httpOnly and want to specify path for it for security purpose as it is having '/' as a default path. So I added following code after session creation.



After this JSESSIOND cookie path getting set as I have mentioned.

But as request process further another JSESSIONID cookie is getting created with '/' as a default path.

How can I restrict it from getting created.

Any help would be Appreciated

Thanks & Regards,

Sunil Chavan
 
Devaka Cooray
ExamLab Creator
Marshal
Pie
Posts: 4588
302
Chrome Eclipse IDE Google App Engine IntelliJ IDE jQuery Postgres Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You should never interact with the JSESSIONID cookie which is used for session tracking.

  • Use a Servlet Filter.
  • In that filter, use request.getSession() method to create a session, only when the criteria is matched (path==/MyPath/MyApp/).
  • Use JSPs just as viewer components and use <%@ page session="false"> to disable creating sessions in JSPs.


  • This sounds not related to JSP. Moving to Servlets...
     
    Sunil Chavan
    Greenhorn
    Posts: 28
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Hi,
    Thanks for your reply.
    Use a Servlet Filter. In that filter, use request.getSession() method to create a session

    I have Filter implemented who checks for valid sessiond id of every request. But session creation part is in other class files where session gets created only after authentication.
    only when the criteria is matched (path==/MyPath/MyApp/).

    How can i check path criteria for session creation or while setting cookie?

    Regards
    Sunil Chavan.
     
    Ben Souther
    Sheriff
    Posts: 13411
    Firefox Browser Redhat VI Editor
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    You don't.
    The session id is handled by the container.

    If what it provides is insufficient for your purposes you would need to implement you're own session handling mechanism.
     
    Sunil Chavan
    Greenhorn
    Posts: 28
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    I am perfectly ok with how container is handling session. I just wanted to make JSESSIONID cookie as httpOnly and want to set it's path as it is suggested by Security Audit Group team.
    But I am still unable to do it.
    Any guidance related to it would be very helpful.

    Regards,
    Sunil Chavan
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic