Jeanne Boyarsky wrote:You shouldn't be updating that cookie directly. It is getting the path from a server configuration.
FYI, that is done in WEB-INF/weblogic.xml :
I run into this recently with WebLogic 10.3.5 deploying two apps.
But instead of one app invalidating the session also for the other app, I experienced that invalidating the session in one app does not do (almost) anything, if there is an active session on the other.
- user only opens app1, he gets a JSESSIONID cookie
- user clicks a link that calls session.invalidate()
- when user loads a page from app1 that uses a session, he gets a new value in the JSESSIONID cookie
But in this case:
- user opens app1, he gets a JSESSIONID cookie
- user opens app2, the JSESSIONID cookie remains the same
- user clicks a link in app1 that calls session.invalidate()
in this case the OP reported that both sessions are lost, but in my case not. The JSESSIONID value remained the same and app2 continued to work with the old session (this is good). But app1 still also used the same JSESSIONID value (the session itself was destroyed and later replaced with a new one).
Maybe this was a fix added in WebLogic 10.3.5 (or a bit earlier)?
Now the problem and the reason I am writing: The described fact that the JSESSIONID value remains the same even if the app invalidates the session leaves the doors open for a "session fixation" attack (see description links below).
JBoss (at least 7.1.1) and tomcat (8.0.x) behave differently. They send a different cookie for each app, having path=/app1 and path=/app2
Is WebLogic deviating from the specs? The behavior is sure surprising.
description at wikipedia
description at OWASP