Weblogic 10.3 secure jsessionid cookie

Similar Messages

• Create the JSESSIONID cookie with the secure flag

  Hello,
  I wonder if it is possible, through UCM or Weblogic configurations, to automatically create the JSESSIONID cookie used when a user is logged on with the secure flag?
  I have not found any parameters so far that could allow this.
  Thanks in advance!

  We have public Websites running on UCM/SiteStudio which are only accessible through SSL by visitors. The aim is that every cookies should be secure to be sure that they are not transmitted in plain text to our server.
  We thus would like to find a way to put the secure flag on JSESSIONID to avoid any case of session hijacking.
  Thanks.
  Edited by: Leo-G on 17 juil. 2012 23:57

• Setting Secure and HttpOnly flags in JSESSIONID cookie

  I have a web app hosted on WebLogic (8.1 I'm afraid!), and want to secure the JSESSIONID cookie by setting the Secure and HttpOnly flags on it. The intention is to prevent cookie theft.
  As regards the Secure flag, I've tried using the myCookie.setSecure(true) method. This works fine when I debug and step through the code , but by the time the cookie gets back to the client, it has been reset to false again (I'm not clear what by though...).
  There isn't a Cookie method to allow you to set HttpOnly.
  I've thought of using a filter to intercept the response and set the flags explicitly, but this seems like a lot of work for something that seems very simple. I can't find anything in the WebLogic documentation that allows me to configure the settings either.
  Does anyone have any bright ideas about how I can do this?
  Thanks
  Geoff

  I don't think there is HTTPOnly support for WebLogic 8.1 or other versions.
  May be you want to send a note to WebLogic support to find out of they are planning this feature in future ?
  Jayesh
  Yagna Sys

• Disable jsessionid cookie in obiee 11g

  Hi All,
  How to disable creation of "jsessionid" cookie in a web browser.
  is something we can do from weblogic side? Appreciate our help.
  Thanks
  Ram

  Hi All,
  How to disable creation of "jsessionid" cookie in a web browser.
  is something we can do from weblogic side? Appreciate our help.
  Thanks
  Ram

• Unable to recreate JSESSIONID cookie in Internet Explorer

  Hello All,
  (Running  CF Version: 9,0,0,251028,   Windows 2008 Server,  IIS-7)
  I am using the code below to expire the JSESSIONID cookie that is generated by CF because CF does not set the "HTTPOnly" and "Secure" cookie attributes by default when the JSESSIONID is initially created .  I am then recreating the JSESSIONID cookie with the required attributes.
  This works great for all browsers EXCEPT Internet Explorer!
  When the code below runs in Internet Explorer, the JSESSIONID cookie does become expired as it should as seen in the 1st line of the function below.  However, The script after that fails to recreate the JSESSIONID in Internet Explorer.  this is driving me nuts because it works like a charm in ALL other browsers.
  I am aware of the solution which involves setting these attributes in an xml configuration file on the CF server.  However that solution is not an option for me.  I am forced to use the method below to setup my secure/httponly JSESSIONID cookie.  Any ideas would be greatly appreciated!!!
  <cffunction name="OnSessionStart" output="false" access="public" description="I fix the sessionid">  
           <cfcookie name="JSESSIONID" expires="now"/>              
         <cfscript> 
            var.HTTPOnly = "HTTPOnly";
            var.domain = cgi.server_name;       
            var.path = "/";
            var.secure = "Secure;";                         
            var.response = getPageContext().getResponse();              
            var.header = "JSESSIONID" & "=" & session.sessionid & ";domain=." & var.domain & ";path=" & var.path & ";" & var.secure & var.HTTPOnly;
            var.response.setHeader("SET-COOKIE", var.header);             
          </cfscript>       
          <cfreturn />
    </cffunction>

  Below is the responseHeader dump (from IE9).
  Looks the exact same in FireFox and Chrome.  However,  a cfdump of the cookie scope will reveal (JSESSIONID=), nothing, zip, zilch, nada in IE9. Since the JSESSIONID cookie value is empty or null, a login attempt will result in a flash of the screen and the user is never logged in.
  While a cfdump of Firefox and Chrome happily display a valid JSESSIONID cookie value and allow users to login to my application just fine.
  (Note:  The secure attribute is intentionally turned off due to my non-ssl dev pc.)
  Cache-Control
  no-cache, no-store, must-revalidate
  Connection
  close
  Content-Type
  text/html; charset=UTF-8
  Date
  Sat, 10 Sep 2011 19:35:08 GMT
  Explanation
  OK
  Http_Version
  HTTP/1.0
  SET-COOKIE
  struct
  1
  JSESSIONID=843032102a51ca7bfa0f60831221c8642e45;domain=.localhost;path=/;HTTPOnly
  2
  JSESSIONID=843032102a51ca7bfa0f60831221c8642e45;path=/
  3
  JSESSIONID=;expires=Fri, 10-Sep-2010 19:35:08 GMT;path=/
  Server
  JRun Web Server
  Status_Code
  200
  X-Frame-Options
  deny
  X-XSS-Protection
  1; mode=block
  expires
  {ts '2011-09-10 15:35:08'}
  pragma
  no-cache
  Thanks for the help!
  Neil

• Enable secure session cookie on Sun ONE Web Server 6.1

  How can I enable secure session cookie (JSESSIONID) on Sun ONE Web Server 6.1?.
  For 6.0 is <session-cookie is-secure="true"/> inside the <web-app> tags in web-apps.xml but I'm not able to find this setting for 6.1.

  There is a fix in 6.1sp5 that enables the session cookie to be marked as secure.
  See the release notes and search for 6262885 under Issues Resolved in 6.1sp5:
  http://docs.sun.com/app/docs/doc/819-2479/6n4p1bdea?a=view

• Setting cookie path for JSESSIONID cookie for admin console

            We've run into a strange problem with the JSESSIONID cookie created for the weblogic
            console application clashing with the JSESSIONID cookie created for our application.
            We've set the path to application JSESSIONID cookie but have been unable to set
            the cookie path for the console application JSESSIONID cookie.
            Anyone know how to do this?
            Thanks,
            Mark
            

  Create a JAAS Authentication Entry in the Server configuration.
  This should then appear in the drop-down when specifying your DataSource.

• Change JSESSIONID Cookie Name

  Can anyone provide a means for changing the JSESSIONID cookie name in IWS 6 to something else?
  I can not locate a mechanism for doing this anywhere.

  Thankyou Sultal for the response.
  Actually we are migrating the application server from Weblogic5.1 to Sun application server 8.2. The client is a mobile client and it sends the Cookie as 'JSESSIONID=session_id_val&WeblogicSession=session_id_val' as parameters, not as request header.It worked fine for Weblogic5.1 but not in Sun Application Server.
  To make it clear :
  Weblogic           :     request.getsession(false) = sessionObj@value
  Sun Application Server      :     request.getsession(false) = null
  Sun Application Server      :     request.getParameter("JSESSIONID") = session_id_val
  In the Weblogic5.1 we have set the cookie & session parameters in the weblogic.properties file as:
  weblogic.httpd.session.cookies.enable=true
  weblogic.httpd.session.cookie.name=WebLogicSession
  weblogic.httpd.session.neverReadPostData=false
  weblogic.httpd.session.timeoutSecs=120
  In case of Sun application server , JSESSIONID is not coming as a cookie , request.getsession(false) is returning null value.Is there a way to initialize the session with JSESSIONID request parameter?

• WebCentre Content usage of JSESSIONID cookie

  Hi
  We have an issue in our implementation where Webspehere and Weblogic compete on WebSeal for the same cookie name JSESSIONID (It actually looks more like it is Websphere and WebCentre Content that is competing for the JSESSIONID cookie since WebLogic seems to use ADMINCONSOLESESSION cookie). This results in unexpected behaviour in applications running within Websphere. We have confirmed that the issue is caused by a cookie preservation setting in WebSeal but we need this setting enabled for Oracle WebCentre Content and Autovue to work together.
  I am not sure if the following will work but I am thinking of changing WebCentre Content to use another cookie rather than JSESSIONID by explicitly adding a WEB-INF folder and use a weblogic.xml file to change the cookie-name.
  Anyone done this before or do you guys have any ideas on implications or options?
  Regards

  Hi EbodaWill,
  File daycare for fp 2324 where in you can configure & allow you to increase the request header size and avoid the bad request error OR for a package that improves client side persistence & does not use cookies.
  Thanks,
  Sham

• No JSESSIONID cookie found in log-in response

  The below code keeps throwing the "No JSESSIONID cookie found in log-in response"
  Public Sub Establish()
  If Not sessionId Is Nothing Then
  Destroy()
  End If
  CheckUsernamePassword()
  Dim req As HttpWebRequest
  req = WebRequest.Create(GetLogInURL())
  req.Headers.Add("UserName", username)
  req.Headers.Add("Password", password)
  req.CookieContainer = New CookieContainer
  Dim resp As HttpWebResponse
  resp = req.GetResponse()
  If resp.StatusCode = System.Net.HttpStatusCode.OK Then
  cookie = resp.Cookies("JSESSIONID")
  If cookie Is Nothing Then
  Throw New Exception("No JSESSIONID cookie found in log-in response!")
  End If
  sessionId = cookie.Value
  End If
  End Sub
  Any help on what I can do for this would be appreciated. Thanks.

  Hi,
  a VB Class for managing Session..
  __________________________________________ START OF FILE __________________________________________
  Imports System
  Imports System.Net
  Imports System.Web.Services.Protocols
  Public Class Session
  Public protocol As String = "https"
  Public server As String
  Public port As String = "443"
  Public username As String
  Public password As String
  Public sessionId As String = Nothing
  Public cookie As cookie
  Public Sub Establish()
  If Not sessionId Is Nothing Then
  Destroy()
  End If
  'Check that username and password have been specified
  CheckUsernamePassword()
  ' create a container for an HTTP request
  Dim req As HttpWebRequest
  req = WebRequest.Create(GetLogInURL())
  'username and password are passed as HTTP headers
  req.Headers.Add("UserName", username)
  req.Headers.Add("Password", password)
  'req.Headers.Add("Proxy", "proxy")
  'req.Headers.Add("Port", "80")
  ' cookie container has to be added to request in order to
  ' retrieve the cookie from the response.
  req.CookieContainer = New CookieContainer
  ' make the HTTP call
  Dim resp As HttpWebResponse
  resp = req.GetResponse()
  If resp.StatusCode = System.Net.HttpStatusCode.OK Then
  'store cookie for later...
  cookie = resp.Cookies("JSESSIONID")
  If cookie Is Nothing Then
  Throw New Exception("No JSESSIONID cookie found in log-in response!")
  End If
  sessionId = cookie.Value
  End If
  End Sub
  Public Sub Destroy()
  ' create a container for an HTTP request
  Dim req As HttpWebRequest
  req = WebRequest.Create(GetLogOffURL())
  ' reuse the cookie that was received at Login
  req.CookieContainer = New CookieContainer
  req.CookieContainer.Add(cookie)
  ' make the HTTP call
  Dim resp As HttpWebResponse
  resp = req.GetResponse()
  If resp.StatusCode <> System.Net.HttpStatusCode.OK Then
  Throw New Exception("Logging off failed!")
  End If
  ' forget current session id
  sessionId = Nothing
  End Sub
  Public Function GetURL() As String
  If sessionId Is Nothing Then
  Throw New Exception("No session has been established!")
  End If
  CheckServerPort()
  Return protocol + "://" + server + "/Services/Integration;jsessionid=" + sessionId
  End Function
  Public Function GetURL(ByVal obj As String) As String
  If sessionId Is Nothing Then
  Throw New Exception("No session has been established!")
  End If
  CheckServerPort()
  Return protocol + "://" + server + ":" + port + "/Services/Integration/" + obj
  End Function
  Private Function GetLogInURL() As String
  CheckServerPort()
  Return protocol + "://" + server + "/Services/Integration?command=login"
  End Function
  Private Function GetLogOffURL() As String
  CheckServerPort()
  Return protocol + "://" + server + "/Services/Integration?command=logoff"
  End Function
  Private Sub CheckServerPort()
  If server Is Nothing Then
  Throw New Exception("Server not specified!")
  End If
  If port Is Nothing Then
  Throw New Exception("Port not specified!")
  End If
  End Sub
  Private Sub CheckUsernamePassword()
  If username Is Nothing Then
  Throw New Exception("Username not specified!")
  End If
  If password Is Nothing Then
  Throw New Exception("Password not specified!")
  End If
  End Sub
  End Class
  __________________________________________ START OF FILE __________________________________________
  Regards,
  Gerald

• WAS4 HttpSession.getId() != JSESSIONID cookie value

  Question: Should the session identifier value assigned to the JSESSIONID cookie by the servlet container be the exact same value returned by calling HttpSession.getId()?
  IBM's WebSphere Application Server (AEs) Version 4.0.x (WAS4) does not return the same value. The session identifier value assigned to the JSESSIONID cookie is 27 characters long, but the value returned by HttpSession.getId() only returns 23 characters. More precisely it is the last 23 characters of the 27 character value assigned to the JSESSIONID cookie.
  WAS4 is supposed to support Sun's Java Servlet Specification Version 2.2. In my opinion, it does not fully 100% support this specification because of what I just stated above.
  I would like to hear the Java Servlet Developer Community's opinion on this. Especially you Java Servlet Specification people and Sun.
  Here is the API documentation for HttpSession.getId().
  ===================================
  getId()
  public java.lang.String getId()
  Returns a string containing the unique identifier assigned to this session. The identifier is assigned by the servlet container and is implementation dependent.
  Returns: a string specifying the identifier assigned to this session
  ===================================
  Full HttpSession API documentation found at: http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpSession.html
  Sun's Java Servlet Specification V2.2 documentation:
  ftp://ftp.java.sun.com/pub/servlet/22final-182874/servlet2_2-spec.pdf

  UPDATE: The value of the JSESSIONID cookie is not 27 characters long, its 30 characters long. the lenght of the value returned by HttpSession.getId() is still only 23 characters long. IBM has inserted 4 characters in the front and 3 characters in the back.
  30 != 23

• Share JSESSIONID cookie between 2 contexts

  Hi all,
  I am trying to share the JSESSIONID cookie between 2 contexts on the same virtual server.
  www.evador.ca/a and www.evador.ca/b
  I tried to put the following in my sun-web.xml:
  <session-config>
  <cookie-properties>
  <property name="cookieDomain" value=".evador.ca";>
  <description>The domain for which the cookie is valid.</description>
  </property>
  <property name="cookiePath" value="/" />
  </cookie-properties>
  </session-config>
  With Firefox I can look at the cookies created. There is only one JSESSIONID with path / and domain .evador.ca. But even with these encouraging info I cannot see the cookie in both contexts...
  I have an another cookie for localization purposes (That I create my self) called lang and believe it or not this works:
  langCookie.setMaxAge(Integer.MAX_VALUE);
  langCookie.setPath("/");
  langCookie.setDomain(domainName);
  response.addCookie(langCookie);
  What am I doing wrong?
  Thank you,
  Luc
  Edited by: lucbard on Dec 7, 2007 2:55 PM

  Servlet specification mentions:
  SRV.7.3 Session Scope
  HttpSession objects must be scoped at the application (or servlet context) level.
  The underlying mechanism, such as the cookie used to establish the session, can be
  the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.
  You cannot share a cookie between 2 contexts.

• Weblogic.developer.interest.security has moved!

  This newsgroup has been relocated. Going forward, please use the weblogic.developer.interest.security newsgroup, which will be located in the [url http://forums.bea.com/category.jspa?categoryID=2004]WebLogic Server/Java EE Newsgroups folder, located at:
  http://forums.bea.com/category.jspa?categoryID=2004

  Pls mention the WLS version & service pack level
            Kumar
            Kevin wrote:
            > Has anyone seen this nasty error before. It is killing my server and Idon't yet know why I get it.Tue Jun 26 19:10:52 CST 2001:<E> <ServletContext-General> Servlet failed with Exceptionjava.lang.ArrayIndexOutOfBoundsException: 7743536at weblogic.servlet.jsp.JspBase.service(Compiled Code)at weblogic.servlet.internal.ServletStubImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletStubImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletContextImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletContextImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletContextManager.invokeServlet(Compiled Code)at weblogic.socket.MuxableSocketHTTP.invokeServlet(Compiled Code)at weblogic.socket.MuxableSocketHTTP.execute(Compiled Code)at weblogic.kernel.ExecuteThread.run(Compiled Code)
            

• Unable to delete JSESSIONID cookie from ADF application

  Hi all
  I have a ADF application where i am using Logout button with action in managed bean. I want to delete the JSESSIONID cookie after logout.
  The logout bean is invalding the session and deleting the cookies. See code below.
  However code is not deleting the JSESSIONID cookie. I can see the cookie still exist in browser. Tester can use "back" button of browser and can see the user is still logged in application.
  How can delete JESSIONID cookie permanetly after logout action ? Am i missing some thing in code ? I am uing JDeveloper 11.1.1.5.0
  Mukesh
  =======
  public String AfterLogOut_action() {
  FacesContext fctx = FacesContext.getCurrentInstance();
  ExternalContext ectx = fctx.getExternalContext();
  String url = ectx.getRequestContextPath() + "/adfAuthentication?logout=true&end_url=/login.html";
  HttpServletRequest request = (HttpServletRequest)ectx.getRequest();
  HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
  HttpSession session = (HttpSession)ectx.getSession(false);
  // Step 1 : delete the cookies
  if (request.getCookies() != null) {    
  for (Cookie cookie : request.getCookies()) {
  cookie.setMaxAge(0);
  cookie.setPath("/");
  response.addCookie(cookie);
  // Step 2 : Invalidate the session
  try {
  session.invalidate();
  ectx.redirect(url);
  } catch (IOException e) {
  e.printStackTrace();
  fctx.responseComplete();
  return null;
  ==========
  Edited by: Mukesh S Patil on May 11, 2013 5:44 PM

  Hi Guys.
  Any help ?
  Mukesh

• How to secure CFGLOBALS cookie

  To secure CFGLOBALS  cookie I tried the following method as I did for CFID and CFTOKEN . But its not working for CFGLOBALS . Note that this method is working fine for CFID and CFTOKEN.
  <cfset cf_ssn_cookies = {httponly='true', secure='true'}>
  <cfapplication name="ABCD" clientmanagement="Yes" sessionmanagement="Yes" setclientcookies="Yes"sessioncookie=#cf_ssn_cookies#>
  Any idea why the HTTPOnly and SECURE flags are not setting up for CFGLOBALS cookie.

  Ya .... Can you just send the summary.....
  BK ,  can you do one more help. I have posted another question here How to prevent clickjacking issue in CF. If possible can you just look into it.