I am creating a JSF application deployed in Tomcat/EE (with CLIENTCERTs). By default, the jsessionid (generated with a SecureRandom, so it looks safe) was set in the URL, which I disabled for security reasons by changing the SessionTrackingMode.
Now I am trying to find the security advantages/disadvantages of using:
<tracking-mode>SSL</tracking-mode> vs. <tracking-mode>COOKIE</tracking-mode>
(considering security almost always has an impact on performance and other variables). Probably one of the problems is that I do not know what SSL tracking-mode exactly does. This API documentation is not very clear.
When should I use one or the other?
PS: I know this is not specific of Tomcat or JSF but I need to give context to the question
Why is Session Tracking Required? Because the HTTP protocol is stateless, we require Session Tracking to make the client-server relationship stateful. Session tracking is important for tracking conversions in online shopping, mailing applications, and E-Commerce applications.
Session tracking is a mechanism that servlets use to maintain state about a series of requests from the same user (that is, requests originating from the same browser) across some period of time. Sessions are shared among the servlets accessed by a client.
I would recommend the use of cookie-based session-tracking over SSL session-tracking for a few reasons:
FWIW, IBM WebSphere has dropped support for SSL-based session-tracking as of version 7.0 (circa 2008).
I don't see any advantage to using SSL-based session-tracking.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With