Use secure and httpOnly cookies and hide jsessionid from url
I am using JBoss EAP 5.2. In order to use httpOnly and secure cookies I change context.xml file adding:
....
But now I can see the jsessionid in the URL in all requests. So in order to hide it I wrote a filter as suggested in RedHat's website (https://access.redhat.com/solutions/16169)
public class JsessionIdRemoveFilter implements Filter { public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { if (!(req instanceof HttpServletRequest)) { chain.doFilter(req, res); return; } HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; // Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots) // This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots... if (request.isRequestedSessionIdFromURL()) { String url = request.getRequestURL() .append(request.getQueryString() != null ? "?"+request.getQueryString() : "") .toString(); response.setHeader("Location", url); response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY); return; } // Prevent rendering of JSESSIONID in URLs for all outgoing links HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(response) { @Override public String encodeRedirectUrl(String url) { return url; } @Override public String encodeRedirectURL(String url) { return url; } @Override public String encodeUrl(String url) { return url; } @Override public String encodeURL(String url) { return url; } }; chain.doFilter(req, wrappedResponse); } public void destroy() { } public void init(FilterConfig arg0) throws ServletException { } }
But now I cannot login, I get an exception: javax.faces.application.ViewExpiredException
What am I missing? Please help
Responses