how to add jsession id into apache http access log

Question

I have to make access logs for my web application .we are using appache http server in front of jboss.i am using apache access log directive for that ,but problem is that there is no directive to get sessionid in access log.i need sessionid in access logs for statistics report.pls anyone having solution help me.

Answer 1

If your Web application always uses Cookies to manage sessions you will be fine with changing your LogFormat and add a parameter for logging the specific cookie:

LogFormat ... \"%{JSESSIONID}C\" ... combined

This does not work on first request as usually no cookie is sent to the server. See: http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats :

%{Foobar}C

The contents of cookie Foobar in the request sent to the server. Only version 0 cookies are fully supported.

If you need to log every jsessionid, so evene those encoded into the url string, you can set a Header on your web application server (like tomcat) like this:

response.setHeader("X-JSESSIONID", request.getSession().getId());

in Apache Log Format you can log this RepsonseHeader with

%{Foobar}o

The contents of Foobar: header line(s) in the reply.

so it results in something like this:

LogFormat ... \"%{X-JSESSIONID}o\" ... combined

But keep an eye on Security: You should not log jsessionid because everyone who has access to the log file can hijack every user session. When you set a header line in your tomcat you maybe should encrypt the sessionid.

String sessionId = request.getSession().getId();
String crypt = yourcryptalgo(sessionId);
response.setHeader("X-JSESSIONID", crypt);