Topic
  • 3 replies
  • Latest Post - ‏2012-06-21T07:47:50Z by Chris535
ChetanMenge
ChetanMenge
2 Posts

Pinned topic Making JSESSIONID cookie as secure i.e "Restrict cookies to HTTPS sessions"

‏2011-11-08T11:11:54Z |
Our application is using JSESSIONID cookie.
I want to update this cookie to make it as secure i.e "Restrict cookies to HTTPS sessions"
We are having clustered environment ( more than one application server ).

There are couple of ways to achieve this

1. By using WAS Console,
Console for Application Servers > WebSphere_Portal > Session management > Cookies.

But this will not help me, because this setting will apply to all web module / all application residing on it.
We are having internet and intranet version ( Deploy on same JVM ), so for internet version only we want to make JSESSIONID cookie as secure.

2. Programmatic

if( request.getCookies()!=null) {
Cookie[] cookies=request.getCookies();
if(cookies.length>0){

for(Cookie cookie:cookies){

if(cookie.getName().equalsIgnoreCase("JSESSIONID")){

String cookieValue=cookie.getValue();
String cacheID=cookieValue.substring(0, 4);
String[] cloneIDs=cookieValue.split(":");
String cloneID="";
if(cloneIDs.length>1){
cloneID=":"+cloneIDs[1];
}

cookie.setValue(cacheID+request.getSession().getId()+cloneID);
cookie.setPath("/");
cookie.setSecure(true);
response.addCookie(cookie);

}
}
}
}

In above approach, we are dependent upon previous cookie to get cacheId and cloneID.
The above approach will work fine , but it has issue / concern related to stale JSESSIONID
i.e 1. if request is from bookmarked page / page is cached at client side
2. if new request goes to different cluster ( in case of one of node is down )
So is there any other solution for making JSESSIONID as secure ?
i.e if there is a way to enable this in the deployment descriptors (web.xml, application.xml, ibm-web-bnd.xmi, ibm-web-ext.xmi) ?

In Weblogic we can achieve this by modify the weblogc.xml, So is there any way ( config files )
to achieve this ?
Updated on 2012-06-21T07:47:50Z at 2012-06-21T07:47:50Z by Chris535
  • gas
    gas
    47 Posts

    Re: Making JSESSIONID cookie as secure i.e "Restrict cookies to HTTPS sessions"

    ‏2011-11-08T23:23:05Z  
    Hi,

    > 1. By using WAS Console,
    > Console for Application Servers > WebSphere_Portal > Session management > Cookies.

    > But this will not help me, because this setting will apply to all web module / all application residing on it.

    This is not entirely true. Since you can override 'Session management' settings per each application or even web module.
    So go to your application via :
    Enterprise Applications > YourInernetApplicationVersion> Session management > Cookies
    and enable 'Restrict cookies to HTTPS sessions' there.
  • ChetanMenge
    ChetanMenge
    2 Posts

    Re: Making JSESSIONID cookie as secure i.e "Restrict cookies to HTTPS sessions"

    ‏2011-11-18T14:20:05Z  
    • gas
    • ‏2011-11-08T23:23:05Z
    Hi,

    > 1. By using WAS Console,
    > Console for Application Servers > WebSphere_Portal > Session management > Cookies.

    > But this will not help me, because this setting will apply to all web module / all application residing on it.

    This is not entirely true. Since you can override 'Session management' settings per each application or even web module.
    So go to your application via :
    Enterprise Applications > YourInernetApplicationVersion> Session management > Cookies
    and enable 'Restrict cookies to HTTPS sessions' there.
    Thanks gas,
    Yes. we can have these setting at applicaiton level or even in module level.
    I'm able to make jsessionid cookie as secure.

    But one thing, these setting are at WAS admin cosole level.
    So, if the application ever be uninstall and re-installed, it would have to be re-enabled.

    So exactly in which XML / configuration file this configuration gets saved? So we can override this value in XML file and bundle it in ear so that we don't need to re-enable it every time we re-install this application.
  • Chris535
    Chris535
    1 Post

    Re: Making JSESSIONID cookie as secure i.e "Restrict cookies to HTTPS sessions"

    ‏2012-06-21T07:47:50Z  
    Thanks gas,
    Yes. we can have these setting at applicaiton level or even in module level.
    I'm able to make jsessionid cookie as secure.

    But one thing, these setting are at WAS admin cosole level.
    So, if the application ever be uninstall and re-installed, it would have to be re-enabled.

    So exactly in which XML / configuration file this configuration gets saved? So we can override this value in XML file and bundle it in ear so that we don't need to re-enable it every time we re-install this application.
    Have you worked out how to save the configuration?