Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat

Wed, 18 Jun 2014 00:58:33 -0700 

2014-06-18 10:45 GMT+04:00 Radha Krishna Meduri -X (radmedur - HCL
TECHNOLOGIES LIMITED at Cisco) <radme...@cisco.com>:
> Hi Tomcat Users,
>
> We are using Tomcat 6.0.37 version. I have few questions regarding 
> JSESSIONIDSSO cookie generated by tomcat.
> As you know, in general each cookie needs to set "httpOnly" and "Secure" 
> flags. I understand both JSESSIONID and JSESSIONIDSSO cookies are maintained 
> by Tomcat for session management. The problem is sometimes "JSESSIONIDSSO" 
> cookie is not set to "Secure" and "HttpOnly" flags. For example from the 
> following two responses one time JSESSIONIDSSO is set and other one not. I 
> would like to know in some scenarios whether this is expected. Your input is 
> much appreciated.
> I could not find any documentation related to this in tomcat.apache.org web 
> site.
> Please help me.
>
> In different application, I could not find this cookie at all which is using 
> Tomcat 7.x. Is there any fixes between Tomcat 6.0.37 and Tomcat 7.x related 
> to JSESSIONIDSSO.
> Is there any behavior change?
>
> HTTP/1.1 200 OK
> Pragma: No-cache
> Cache-Control: no-store
> Expires: Wed, 31 Dec 1969 23:59:59 GMT
> Set-Cookie: JSESSIONID=E6AA4F8CD91D557123B23F1FBCDAC137; Path=/admin; Secure; 
> HttpOnly
> Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Path=/; Secure; 
> HttpOnly
> Content-Type: text/html;charset=utf-8
> Date: Tue, 17 Jun 2014 16:18:27 GMT
> Server: XYZ
> Content-Length: 71916
>
>
> HTTP/1.1 302 Found
> Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, 
> 01-Jan-1970 00:00:10 GMT
> Pragma: No-cache
> Cache-Control: no-cache
> Expires: Thu, 01 Jan 1970 00:00:00 UTC
> Set-Cookie: JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; Secure; 
> HttpOnly
> Location: https://X.Y.A.B/admin/login.jsp
> Content-Length: 0
> Date: Tue, 17 Jun 2014 16:21:17 GMT
> Server: XYZ
>

With that value of "Expires" the cookie is actually being cleared, not set.

The code for clearing the cookie is in
o.a.catalina.authenticator.SingleSignOn.invoke(...)

[[[
            cookie.setMaxAge(0);
            response.addCookie(cookie);
]]]

The code for setting the cookie is in
o.a.catalina.authenticator.AuthenticatorBase.register(...)


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
  • RE:... Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at Cisco)
    • ... Konstantin Kolinko
      • ... Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at Cisco)
        • ... Konstantin Kolinko
      • ... Konstantin Kolinko
        • ... Christopher Schultz
          • ... Konstantin Preißer
            • ... lodasn
            • ... Christopher Schultz
              • ... Konstantin Preißer
                • ... Konstantin Kolinko
    • ... Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at Cisco)

Reply via email to