Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to change jsessionid cookie path to server root in Spring app on Jetty?

I have a Jetty server running a Spring app on the /app context. The app uses sessions, so it sets a session cookie, which responds like this:

set-cookie:JSESSIONID=679b6291-d1cc-47be-bbf6-7ec75214f4e5; Path=/app; HttpOnly

I need that cookie to have a path of / instead of the webapp's context. Plus I want to use secure cookies. I want this response:

set-cookie:JSESSIONID=679b6291-d1cc-47be-bbf6-7ec75214f4e5; Path=/; HttpOnly; Secure

Where is the proper place to configure the session cookie? Does spring help with this? Should it be in web.xml? Or do I need to configure it in a container specific way, such as jetty-web.xml?

I've tried a bunch of things, but nothing has worked so far. Below are some things I tried.


Attempt #1

Created WEB-INF/jetty-web.xml with the following:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
      <Get name="sessionManager">
        <Set name="sessionCookie">MYJETTYSESSION</Set>
        <Set name="sessionPath">/</Set>
        <Set name="secureCookies" type="boolean">true</Set>
        <Set name="httpOnly" type="boolean">true</Set>
      </Get>
    </Get>
</Configure>

This causes an exception to be thrown:

2012-10-05 02:41:41.180:WARN:oejx.XmlConfiguration:Config error at <Set name="sessionPath">/</Set> java.lang.NoSuchMethodException: class org.eclipse.jetty.server.session.HashSessionManager.setSessionPath(class java.lang.String)
2012-10-05 02:41:41.180:WARN:oejx.XmlConfiguration:Config error at <Get name="sessionManager"><Set name="sessionCookie">MYJETTYSESSION</Set><Set name="sessionPath">/</Set><Set name="secureCookies">true</Set><Set name="httpOnly">true</Set></Get> java.lang.NoSuchMethodException: class org.eclipse.jetty.server.session.HashSessionManager.setSessionPath(class java.lang.String)
2012-10-05 02:41:41.180:WARN:oejx.XmlConfiguration:Config error at <Get name="sessionHandler"><Get name="sessionManager"><Set name="sessionCookie">MYJETTYSESSION</Set><Set name="sessionPath">/</Set><Set name="secureCookies">true</Set><Set name="httpOnly">true</Set></Get></Get> java.lang.NoSuchMethodException: class 

The full stack trace is in this gist.

Attempt #2

Created WEB-INF/jetty-web.xml with the following:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Call name="setInitParameter">
        <Arg>org.eclipse.jetty.servlet.SessionCookie</Arg>
        <Arg>MYSESSIONID</Arg>
    </Call>
    <Call name="setInitParameter">
        <Arg>org.eclipse.jetty.servlet.SessionIdPathParameterName</Arg>
        <Arg>mysessionid</Arg>
    </Call>
    <Call name="setInitParameter">
        <Arg>org.eclipse.jetty.servlet.SessionPath</Arg>
        <Arg>/</Arg>
    </Call>
</Configure>

This does not cause any exception, but the cookie is still JSESSIONID and contains the webapp context path /app.

Attempt #3

Updated WEB-INF/web.xml with the following:

<context-param>
    <param-name>org.eclipse.jetty.servlet.SessionPath</param-name>
    <param-value>/</param-value>
</context-param>
<context-param>
    <param-name>org.eclipse.jetty.servlet.SessionCookie</param-name>
    <param-value>MYSESS</param-value>
</context-param>

This does not cause any exception, but the cookie is still JSESSIONID and contains the webapp context path /app.

Attempt #4

Updated WEB-INF/web.xml with the following:

<session-config>
    <session-timeout>720</session-timeout>
    <cookie-config>
        <name>SZSESSION</name>
        <path>/</path>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

This does not cause any exception, but the cookie is still JSESSIONID and contains the webapp context path /app.

Maven configuration

Note that I'm using Jetty Maven Plugin version 8.1.5.v20120716 and doing a mvn jetty:run:

<jetty.maven.plugin.version>8.1.5.v20120716</jetty.maven.plugin.version>
<spring.version>3.0.0.RELEASE</spring.version>
  ...
<plugin>
    <groupId>org.mortbay.jetty</groupId>
    <artifactId>jetty-maven-plugin</artifactId>
    <version>${jetty.maven.plugin.version}</version>
    <configuration>
        <scanIntervalSeconds>10</scanIntervalSeconds>
        <reload>manual</reload>
        <stopPort>${jetty.stop.port}</stopPort>
        <stopKey>foo</stopKey>
        <webAppConfig>
              <contextPath>/app</contextPath>
        </webAppConfig>
    </configuration>
       ...
</plugin>
like image 807
Tauren Avatar asked Oct 06 '12 00:10

Tauren


People also ask

What is Jsessionid in cookie?

JSESSIONID is a cookie generated by Servlet containers and used for session management in J2EE web applications for HTTP protocol. If a Web server is using a cookie for session management, it creates and sends JSESSIONID cookie to the client and then the client sends it back to the server in subsequent HTTP requests.

How do I get session cookies in spring boot?

To set a cookie in Spring Boot, we can use HttpServletResponse class's method addCookie() . All you need to do is to create a new instance of Cookie class and add it to the response.

How do I set cookies in spring boot?

In a Spring Boot application, a cookie can be set by using the Cookie class and add in server response using HttpServletResponse class, similarly, a cookie can be retrieved by using @CookieValue annotation.


1 Answers

Attempt #4 is on the right track.

Providing I am reading this right, you're using the maven configuration on the context /app which means in your web.xml the / your settings is /app because that is the root of the context you're configuring.

Put another way you can't configure the session for www.foo.com/ if you are only deploying into the www.foo.com/app context, imagine if someone else were deploying apps into that url, you can't just decide to make your session cookies apply to everyone operating under that url.

like image 54
jesse mcconnell Avatar answered Oct 23 '22 14:10

jesse mcconnell