Use secure and httpOnly cookies and hide jsessionid from url
I am using JBoss EAP 5.2. In order to use httpOnly and secure cookies I change context.xml file adding:
<Context cookies="true" crossContext="true" >
<SessionCookie secure="true" httpOnly="true" />
....
But now I can see the jsessionid in the URL in all requests. So in order to hide it I wrote a filter as suggested in RedHat's website (https://access.redhat.com/solutions/16169)
public class JsessionIdRemoveFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
if (!(req instanceof HttpServletRequest)) {
chain.doFilter(req, res);
return;
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots)
// This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots...
if (request.isRequestedSessionIdFromURL()) {
String url = request.getRequestURL()
.append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
.toString();
response.setHeader("Location", url);
response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
return;
}
// Prevent rendering of JSESSIONID in URLs for all outgoing links
HttpServletResponseWrapper wrappedResponse =
new HttpServletResponseWrapper(response) {
@Override
public String encodeRedirectUrl(String url) {
return url;
}
@Override
public String encodeRedirectURL(String url) {
return url;
}
@Override
public String encodeUrl(String url) {
return url;
}
@Override
public String encodeURL(String url) {
return url;
}
};
chain.doFilter(req, wrappedResponse);
}
public void destroy() {
}
public void init(FilterConfig arg0) throws ServletException {
}
}
But now I cannot login, I get an exception: javax.faces.application.ViewExpiredException
What am I missing? Please help