stackoom
  简体   繁体   中英

JBoss 5: Use secure and httpOnly cookies and hide jsessionid from url

 原文  2014-08-12 10:50:30       java/ jsf/ cookies/ jboss

Question

I am using JBoss EAP 5.2. In order to use httpOnly and secure cookies I change context.xml file adding: 

<Context cookies="true" crossContext="true" >
   <SessionCookie secure="true" httpOnly="true" />
   ....

But now I can see the jsessionid in the URL in all requests. So in order to hide it I wrote a filter as suggested in RedHat's website ( https://access.redhat.com/solutions/16169 ) 

public class JsessionIdRemoveFilter implements Filter {

        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {

            if (!(req instanceof HttpServletRequest)) {
                chain.doFilter(req, res);
                return;
            }

            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;

            // Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots)
            // This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots...
            if (request.isRequestedSessionIdFromURL()) {
                String url = request.getRequestURL()
                             .append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
                             .toString();
                response.setHeader("Location", url);
                response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
                return;
            }

            // Prevent rendering of JSESSIONID in URLs for all outgoing links
            HttpServletResponseWrapper wrappedResponse =
                new HttpServletResponseWrapper(response) {
                    @Override
                    public String encodeRedirectUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeRedirectURL(String url) {
                        return url;
                    }

                    @Override
                    public String encodeUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeURL(String url) {
                        return url;
                    }
                };
            chain.doFilter(req, wrappedResponse);

        }

         public void destroy() {
         }

         public void init(FilterConfig arg0) throws ServletException {
         }
    }

But now I cannot login, I get an exception: javax.faces.application.ViewExpiredException

What am I missing? Please help

1 answers

solution1
 0  2014-08-27 07:54:37

为了使用secure = true,需要安装证书,以便请求通过https

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JSESSIONID is set for both HttpOnly and Secure Jboss 5. HttpOnly session cookies How to remove JSESSIONID from cookies? JSESSIONID HttpOnly in Weblogic 10.3 C:url not appending jsessionid when cookies are disabled Removing JSESSIONID httponly vulnerability from karaf 4 pax-jetty How delete the JSESSIONID cookie from the browser with HttpOnly flag set Can not read JSESSIONID cookie after setting cookie-config to httpOnly and secure in web.xml How to add cookies with HttpOnly and Secure flags in Spring Webflux webclient? Put the flag secure and httponly in the cookies, in Liferay 6.2 (Localhost)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM