Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the advantages of tracking-mode SSL vs. COOKIE?

Tags:

session

tomcat

session-cookies

jsf-2

I am creating a JSF application deployed in Tomcat/EE (with CLIENTCERTs). By default, the jsessionid (generated with a SecureRandom, so it looks safe) was set in the URL, which I disabled for security reasons by changing the SessionTrackingMode.

Now I am trying to find the security advantages/disadvantages of using:

<tracking-mode>SSL</tracking-mode> vs. <tracking-mode>COOKIE</tracking-mode>

(considering security almost always has an impact on performance and other variables). Probably one of the problems is that I do not know what SSL tracking-mode exactly does. This API documentation is not very clear.

When should I use one or the other?

PS: I know this is not specific of Tomcat or JSF but I need to give context to the question

like image 219
user1156544 Avatar asked Feb 27 '18 18:02

user1156544

People also ask

Why is Session Tracking needed?

Why is Session Tracking Required? Because the HTTP protocol is stateless, we require Session Tracking to make the client-server relationship stateful. Session tracking is important for tracking conversions in online shopping, mailing applications, and E-Commerce applications.

What is Session Tracking in Java?

Session tracking is a mechanism that servlets use to maintain state about a series of requests from the same user (that is, requests originating from the same browser) across some period of time. Sessions are shared among the servlets accessed by a client.

1 Answers

I would recommend the use of cookie-based session-tracking over SSL session-tracking for a few reasons:

  1. Using SSL session-tracking may prevent explicit (user-initiated) logouts
  2. Using SSL session-tracking may prevent sessions from being terminated due to inactivity-timeouts
  3. Using SSL session-tracking may cause unexpected logouts (due to TLS renegotiation, which changes the TLS session-id)
  4. Using SSL session-tracking will make it harder to debug, troubleshoot, and generally manipulate your own application if necessary (telling a client to clear their cookies is easier and less arcane than asking them to expire their TLS session-ids)

FWIW, IBM WebSphere has dropped support for SSL-based session-tracking as of version 7.0 (circa 2008).

I don't see any advantage to using SSL-based session-tracking.

like image 90
Christopher Schultz Avatar answered Nov 16 '22 01:11

Christopher Schultz
Sign in to Comment

Related questions

Rest call on expired session: HTTP 401 response causes browser to display login window
Vaadin 7 - Good framework but not for my project [closed]
Converting NSURLSessionDataTask into a Download task with Background support
How do I programmatically start an OAuth session?
What's the proper response to WM_ENDSESSION with ENDSESSION_CLOSEAPP and wParam == FALSE?
Programmatically keep HTTP Session Alive without browser
Play 2.0 access to request in templates
how to change session id after login in asp.net
PHP Session Id changes between pages
How to log out a user when a session times out or ends
What to use for session management?
In detail, what happens when you press Ctrl-C in a terminal?
Is there any limitations for google colab other than the session timeout after 12 hours?
problem saveOrUpdate object Hibernate (a different object with the same identifier session) [duplicate]
Error messages stored in SESSION
How to preserve session through all tests on phpunit?
Sessions Failover with PHP-memcache against memcached
ASP.NET Kill Session By Id
HttpContext.Current.Session is null + OWIN
Ensuring session strict mode in custom SessionHandlerInterface implementation

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!