Use secure and httpOnly cookies and hide jsessionid from url

Latest response

I am using JBoss EAP 5.2. In order to use httpOnly and secure cookies I change context.xml file adding:

<Context cookies="true" crossContext="true" >
   <SessionCookie secure="true" httpOnly="true" />
   ....

But now I can see the jsessionid in the URL in all requests. So in order to hide it I wrote a filter as suggested in RedHat's website (https://access.redhat.com/solutions/16169)

public class JsessionIdRemoveFilter implements Filter {

        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {

            if (!(req instanceof HttpServletRequest)) {
                chain.doFilter(req, res);
                return;
            }

            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;

            // Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots)
            // This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots...
            if (request.isRequestedSessionIdFromURL()) {
                String url = request.getRequestURL()
                             .append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
                             .toString();
                response.setHeader("Location", url);
                response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
                return;
            }

            // Prevent rendering of JSESSIONID in URLs for all outgoing links
            HttpServletResponseWrapper wrappedResponse =
                new HttpServletResponseWrapper(response) {
                    @Override
                    public String encodeRedirectUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeRedirectURL(String url) {
                        return url;
                    }

                    @Override
                    public String encodeUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeURL(String url) {
                        return url;
                    }
                };
            chain.doFilter(req, wrappedResponse);

        }

         public void destroy() {
         }

         public void init(FilterConfig arg0) throws ServletException {
         }
    }

But now I cannot login, I get an exception: javax.faces.application.ViewExpiredException

What am I missing? Please help

jc
Log in to join the conversation

Responses

Mustafa Musaji's picture Red Hat Guru 1798 points
26 August 2014 11:04 AM

Hi

Can you let us know if the solution in https://access.redhat.com/solutions/42592 helps?

Thanks
Mustafa

jc Community Member 25 points
27 August 2014 7:57 AM

In order to use secure=true, a certificate needs to be installed so the requests go through https. One this is done, the sessionid is not visible anymore.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.