Use secure and httpOnly cookies and hide jsessionid from url

Latest response

I am using JBoss EAP 5.2. In order to use httpOnly and secure cookies I change context.xml file adding:

<Context cookies="true" crossContext="true" >
   <SessionCookie secure="true" httpOnly="true" />
   ....

But now I can see the jsessionid in the URL in all requests. So in order to hide it I wrote a filter as suggested in RedHat's website (https://access.redhat.com/solutions/16169)

public class JsessionIdRemoveFilter implements Filter {

        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {

            if (!(req instanceof HttpServletRequest)) {
                chain.doFilter(req, res);
                return;
            }

            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;

            // Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots)
            // This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots...
            if (request.isRequestedSessionIdFromURL()) {
                String url = request.getRequestURL()
                             .append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
                             .toString();
                response.setHeader("Location", url);
                response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
                return;
            }

            // Prevent rendering of JSESSIONID in URLs for all outgoing links
            HttpServletResponseWrapper wrappedResponse =
                new HttpServletResponseWrapper(response) {
                    @Override
                    public String encodeRedirectUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeRedirectURL(String url) {
                        return url;
                    }

                    @Override
                    public String encodeUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeURL(String url) {
                        return url;
                    }
                };
            chain.doFilter(req, wrappedResponse);

        }

         public void destroy() {
         }

         public void init(FilterConfig arg0) throws ServletException {
         }
    }

But now I cannot login, I get an exception: javax.faces.application.ViewExpiredException

What am I missing? Please help

Responses

Hi

Can you let us know if the solution in https://access.redhat.com/solutions/42592 helps?

Thanks
Mustafa

In order to use secure=true, a certificate needs to be installed so the requests go through https. One this is done, the sessionid is not visible anymore.